I found XSS in the file upload function of the message function.
1.First, access the latest version of the demo environment. "Https://www.rosariosis.org/demonstration/index.php"
2.Then log in with your student account. Student: username and password βstudentβ
3.After logging in, access βMESSAGING > Writeβ from the menu on the left. (/demonstration/Modules.php?modname=Messaging/Write.php
)
4.Then enter the title and message as appropriate.
5.Now upload the SVG file containing XSS to βFile Attachedβ.
6.Finally, select βTeach Teacherβ as the destination and send.
7.Log in from here with your teacherβs account. Teacher: username and password βteacherβ
8.After logging in, access βMESSAGING > Messagesβ from the menu and select the message you just sent.
9.Then click on the last attached file and a pop-up screen will appear.
-Endpoint: POST /demonstration/Modules.php?modname=Messaging/Write.php&search_modfunc=list&recipients_key=staff_id&subject=<title>&message=<message>&recipients_ids[0]=2&send=Send
-Attachment: SVG file
-Test Payload: <script type="text/javascript">alert(document.cookie)</script>
This vulnerability can steal a userβs cookie.