Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored Cross Site Scripting Allows to hijack the sessions #163

madhuakula opened this issue Jun 30, 2014 · 1 comment


None yet
2 participants
Copy link

commented Jun 30, 2014

Summary : Stored Cross Site Scripting Vulnerability leads to hijack the users sessions

Description :

About Vulnerability :

Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.

Impact :

Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc.

For more reference :

Steps to Reproduce : (POC)

Login as any user and add a document.

When you are adding a document. Give the name

"><img src=x onerror=prompt(document.domain)>.png

then upload it.



Mitigation :

Don't trust any user input and use proper sanitation

for more reference :

Madhu Akula
Information Security Researcher

@stephenlawrence stephenlawrence modified the milestones: 1.2.8, Jul 2, 2014


This comment has been minimized.

Copy link

commented Sep 6, 2015

@opendocman opendocman locked and limited conversation to collaborators Sep 7, 2015

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.