Stored XSS viva cshtm file upload in star7th/showdoc
Mar 14th 2022
This is a bypass of the report:https://huntr.dev/bounties/8702e2bf-4af2-4391-b651-c8c89e7d089e/. Here the upload functionality allows the malicious files with the extension .cshtm which leads to Stored XSS.
Proof of Concept
1.First, open your text file/notepad and paste the below payload and save it as XSS.cshtm :
2.Then go to https://www.showdoc.com.cn/ and login with your account.
3.Afther that navigate to file library (https://www.showdoc.com.cn/attachment/index)
4.In the File Library page, click the Upload button and choose the XSS.cshtm
5.After uploading the file, click on the check button to open that file in a new tab.
This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.