πŸ”’
theB10G
  • ⁉️Welcome/whoami
  • πŸ‘¨β€πŸ”¬Malware Analyst for a day
  • πŸ“§Spooky Scammers (Back for the holidays)
  • πŸ’°Hacking the Scammers
  • πŸ’°Systematic Destruction (Hacking the Scammers pt. 2)
  • πŸ€΅β€β™‚οΈSQL Injection in Security Cleared Job Site
  • ↩️XSS Security Policy Bypass
  • πŸ“ŠCraft CMS Unauthenticated SQLi via GraphQL
  • πŸ₯MISI Hack the Building 2.0 Hospital Edition
  • πŸ“”Booked v2.5.5/LabArchives Scheduler Vulnerability
  • πŸ΄β€β˜ οΈCTF Writ3ups
  • πŸͺ–ARCENT Best Cyber Warrior 2023
  • πŸ’΅Bounty Hunter Writeup
  • πŸͺ„Previse Writeup
  • πŸ‘ΎeJPT certification Review
  • πŸ”₯Sauna Writeup
  • πŸƒβ€β™‚οΈActive Writeup
  • 🚘Driver Writeup
  • ❌Trick Writeup
  • πŸ“ŠGraphQL Query Authentication Bypass Vuln
  • πŸ•ΈοΈeWPT Certification Review
  • β˜€οΈ2022 DOE Cyberforce Competition
  • ⛏️Data Mining CVEs and Exploits
  • πŸ’»eCPPTv2 Certification Review
  • Breaking GraphQL Presentation
  • Springshare LibApps Stored XSS
Powered by GitBook
On this page

Was this helpful?

Last updated 1 year ago

Was this helpful?

When conducting a test for a Bug Bounty program that I like I was testing a SaaS app from Springshare that was in scope. When doing my standard test for XSS in a discussion page it offered I got a hit. It had no filter or WAF so it was as simple as putting:

This payload worked in both the body of the discussion post as well as the title and was executed whenever someone visited the discussion page, as it is a stored XSS.

See photo evidence here:

This has been submitted to Springshare and has also been reported to MITRE for a CVE identifier.

This software is used by over a thousand libraries around the world and could severely impact them if exploited by a threat actor, which could be anyone with how easy it is. Anyone with an account at the library could exploit this.

Springshare LibApps Stored XSS

Springshare LibApps authenticated Stored XSS in discussions.php

PreviousBreaking GraphQL Presentation
<script>alert("test for BB")</script>