Created
March 25, 2022 05:00
-
-
Save CrimsonHamster/1aeec6db0d740de6ed4690f6a975f377 to your computer and use it in GitHub Desktop.
PoC A Stored Cross-Site Scripting (XSS) vulnerability in Joget DX 7 - Datalist table (CVE-2022-26197)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Product Description] | |
Joget DX is an open source platform to easily build enterprise web apps for cloud and mobile. | |
[Details] | |
The data table generated via the Datalist table module was vulnerable to A Stored Cross-Site Scripting (XSS) vulnerability. In case that the application allows user submit the input to be displayed on this table, the input data will be collected. Then the Joget DX will display the collected data without escaping and let it to be executed on the browser (for Javascript data). | |
[Impact] | |
Running malicious web script or HTML script on victim's web browser. | |
[Affected component] | |
Joget DX 7 | |
[Attack Type] | |
Remote | |
[PoC] | |
1. Submit <a href="javascript:x='%27-alert(1)-%27';">XSS</a> to a form (that will displayed on the Datalist table) on the website generated by Joget DX. | |
2. Click the “XSS” link to trigger the javascript. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment