CVE-2021–39421.
A cross-site scripting (XSS) vulnerability in SeedDMS v6.0.15 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
Discovered by: Shifa Cyclewala From Hacktify Cyber Security.
Reference:
https://owasp.org/www-community/attacks/xss/
https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)
What is XSS?
Cross-Site Scripting (XSS) is a web application vulnerability that occurs when an attacker injects malicious scripts into a trusted website. These scripts can be written in various scripting languages, such as JavaScript, and are executed by unsuspecting users’ browsers. XSS attacks can have a range of negative consequences, including stealing sensitive user information, hijacking user sessions, or defacing websites.
Bug Description:
To exploit the vulnerability anyone can send a special crafted request to and cause the XSS vulnerability to trigger. Attacker can send the following request to the endpoint with vulnerable parameter (folderid=)/out/out.DocumentChooser.php?form=5f41ac8885d5210dfebb22eabf92add0&folderid= to trigger the vulnerability → https://localhost/out/out.DocumentChooser.php?form=5f41ac8885d5210dfebb22eabf92add0&folderid=1w8il5'accesskey='x'onclick='alert(1)'//kv0x0&partialtree=0
Steps to Reproduce
Step1: Go to this URL https://localhost/out/out.DocumentChooser.php?form=5f41ac8885d5210dfebb22eabf92add0&folderid=118il5
Step2 : Add this payload [ ‘accesskey=’x’onclick=’alert(1)’//kv0x0&partialtree=0 ]at the vulnerable parameter [folderid=]
Step 3: You will see an XSS alert to confirm the presence of the vulnerability.
LinkedIn:
https://www.linkedin.com/in/shifa
Thank you
Shifa Cyclewala From Hacktify Cyber Security.