CVE-2022–31454.
Yii 2 v2.0.45 was discovered to contain a Cross-Site Scripting (XSS) vulnerability via the endpoint /books.
Discovered by: Shifa Cyclewala & Rohit Gautam From Hacktify Cyber Security.
Reference:
https://www.acunetix.com/vulnerabilities/web/cross-site-scripting/
What is XSS?
Cross-Site Scripting (XSS) is a web application vulnerability that occurs when an attacker injects malicious scripts into a trusted website. These scripts can be written in various scripting languages, such as JavaScript, and are executed by unsuspecting users’ browsers. XSS attacks can have a range of negative consequences, including stealing sensitive user information, hijacking user sessions, or defacing websites.
Bug Description:
An attacker is able to perform XSS and steal the cookies of other users and perform unauthorized attacks in “/book” endpoint
Steps to Reproduce:
Step1: Go to https://example.com and add this endpoint /books
Step2 : You will see a XSS alert to confirm the presence of the vulnerability.
LinkedIn:
https://www.linkedin.com/in/shifa
https://www.linkedin.com/in/iamrohitg
Thank you
Shifa Cyclewala & Rohit Gautam From Hacktify Cyber Security.