CVE-2017-16881

Name of the Vulnerable Software and Affected Versions b3log Symphony (aka Sym) version 2.2.0

Description The issue is related to improper handling of XSS in JSON objects. Specifically, a crafted userAvatarURL value can be used to exploit this issue, as demonstrated in the /settings/avatar endpoint. The affected files include AdminProcessor.java, ArticleProcessor.java, UserProcessor.java, ArticleQueryService.java, AvatarQueryService.java, and CommentQueryService.java.

Recommendations For version 2.2.0, consider restricting access to the /settings/avatar endpoint until a proper fix is applied, and avoid using crafted userAvatarURL values to prevent potential exploitation. As a temporary workaround, consider disabling the userAvatarURL parameter in the affected endpoint until a patch is available.