Lucene search
Choocs2E12B773-B6A2-48DA-A4BB-55D5D1307D2EHistoryMar 13, 2023 - 1:52 a.m.
Cross Site Scripting (XSS) in Assets
2023-03-1301:52:23
choocs
www.huntr.dev
6
cross-site scripting
injection
malicious scripts
web application
flaws
browser side script
input validation
asset upload
proof of concept
admin login
end user
EPSS
0.001
Percentile
24.0%
Description
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
Proof of Concept
Step 1: Create a file named evil.html
<html>
<script type="text/javascript">alert(document.domain)</script>
</html>
Paste the code above inside the file of evil.html
Step 2: Login as admin
Step 3: Go to Assets
Step 4: Upload the created file
Step 5: Copy asset link and paste it at a new tab.
Step 6: XSS triggered
References
Related
osv
osv
Cockpit Cross-site Scripting vulnerability
2023-08-18 21:30:24
CVE-2023-4422
2023-08-18 19:15:13
nvd
nvd
CVE-2023-4422
2023-08-18 19:15:13
github
github
Cockpit Cross-site Scripting vulnerability
2023-08-18 21:30:24
veracode
veracode
Cross-site Scripting (XSS)
2023-08-22 10:20:21
cvelist
cvelist
CVE-2023-4422 Cross-site Scripting (XSS) - Stored in cockpit-hq/cockpit
2023-08-18 18:35:17
cve
cve
CVE-2023-4422
2023-08-18 19:15:13
prion
prion
Cross site scripting
2023-08-18 19:15:00