Lucene search
Tyage75CFB7AD-A75F-45FF-8688-32A9C55179AAHistoryJul 11, 2023 - 12:41 p.m.
XSS in webmention.js
2023-07-1112:41:30
tyage
www.huntr.dev
4
webmention.js
xss
vulnerability
comment name
unescaped
web security
EPSS
0.001
Percentile
33.1%
Description
webmention.js has a XSS vulnerability here.
Comment name has not escaped.
https://github.com/PlaidWeb/webmention.js/blob/9457e71433c0d2430bbe767ecc5b5837140d0ee4/static/webmention.js#L330
Proof of Concept
- 1 Put a webmention.js on your site
- 2 Send a webmention that includes XSS payload in
p-name
<article>
<span><img src=x onerror=alert(1)></span>
...
- 3 webmention.js will execute an alert in your site
Related
github
github
webmention.js Cross-site Scripting vulnerability
2023-07-14 12:30:20
osv
osv
webmention.js Cross-site Scripting vulnerability
2023-07-14 12:30:20
CVE-2023-3672
2023-07-14 10:15:08
veracode
veracode
Cross-Site Scripting (XSS)
2023-07-18 13:51:41
cve
cve
CVE-2023-3672
2023-07-14 10:15:08
nvd
nvd
CVE-2023-3672
2023-07-14 10:15:08
prion
prion
Cross site scripting
2023-07-14 10:15:00
cvelist
cvelist
CVE-2023-3672 Cross-site Scripting (XSS) - DOM in plaidweb/webmention.js
2023-07-14 09:27:32