Description
b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP address in /admin/user/userid.
Remediation
References
https://github.com/b3log/symphony/issues/503
Related Vulnerabilities
CVE-2017-16145 Vulnerability in npm package sspa
CVE-2021-42697 Vulnerability in maven package com.typesafe.akka:akka-http-core
CVE-2018-3738 Vulnerability in npm package protobufjs
CVE-2019-20149 Vulnerability in maven package org.webjars.bowergithub.jonschlinkert:kind-of
CVE-2021-3137 Vulnerability in maven package org.xwiki.commons:xwiki-commons