Stored XSS viva .webma file upload in star7th/showdoc

Valid

Reported on

Mar 14th 2022

Description

The application allows .webma files to upload which lead to stored XSS

Proof of Concept

1.First, open your text file/notepad and paste the below payload and save it as XSS.webma :

<html>

<script>alert(1337)</script>

<script>alert(document.domain)</script>

<script>alert(document.location)</script>

<script>alert('XSS_by_Samprit Das')</script>

</html>

2.Then go to https://www.showdoc.com.cn/ and login with your account.

3.After that navigate to file library (https://www.showdoc.com.cn/attachment/index)

4.In the File Library page, click the Upload button and choose the XSS.webma

5.After uploading the file, click on the check button to open that file in a new tab.

PoC URL

https://img.showdoc.cc/622f4ea178cad_622f4ea178ca6.webma?e=1647273016&token=-YdeH6WvESHZKz-yUzWjO-uVV6A7oVrCN3UXi48F:XZXTcR3LpROlOxNKJOLwowyUqT0=

Impact

This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

We are processing your report and will contact the star7th/showdoc team within 24 hours. a year ago
star7th validated this vulnerability a year ago
SAMPRIT DAS has been awarded the disclosure bounty
The fix bounty is now up for grabs
star7th marked this as fixed in 2.10.4 with commit 3caa32 a year ago
star7th has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation