Cross-site Scripting (XSS) - Generic in kekingcn/kkfileview

Valid

Reported on

Jan 6th 2021

Description

kkFileView this package is vulnerable to Stored Cross-Site Scripting (XSS).

https://github.com/kekingcn/kkFileView

Steps To Reproduce-: (stored XSS)

  1. install https://github.com/kekingcn/kkFileView locally or https://file.keking.cn/index use demo
  2. while uploading files for preview use js code in file name paylload used ("><img src=x onerror=alert(222) ~2F>.xml)

POC

gdrive poc

Steps To Reproduce-: (reflected XSS)

  1. install https://github.com/kekingcn/kkFileView locally or https://file.keking.cn/index use demo
  2. use https://file.keking.cn/onlinePreview?url=f%22%3E%3Cimg%20src=x%20onerror=alert(222)%20~2F%3E

POC

poc2

to join this conversation