Description

Stored XSS via upload attachment with format .xml in File Library.

Detail

When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before.

Proof of Concept

PoC.xml

<?xml version="1.0"?>
<html:html xmlns:html='http://www.w3.org/1999/xhtml'>
<html:script>
alert(document.domain);
</html:script>
</html:HTML>

Steps to Reproduce

1.After login, click the arrow on the top right corner -> go to File Library. (https://www.showdoc.com.cn/attachment/index)
2.In the File Library page, click Upload button and choose the PoC.xml
3.After uploading successfully, click on the check button to open it in a new tab.

The XSS will trigger when the attachment is opened in a new tab.

Impact

This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.