Springshare LibApps Stored XSS

Springshare LibApps authenticated Stored XSS in discussions.php

When conducting a test for a Bug Bounty program that I like I was testing a SaaS app from Springshare that was in scope. When doing my standard test for XSS in a discussion page it offered I got a hit. It had no filter or WAF so it was as simple as putting:

<script>alert("test for BB")</script>

This payload worked in both the body of the discussion post as well as the title and was executed whenever someone visited the discussion page, as it is a stored XSS.

See photo evidence here:

This has been submitted to Springshare and has also been reported to MITRE for a CVE identifier.

This software is used by over a thousand libraries around the world and could severely impact them if exploited by a threat actor, which could be anyone with how easy it is. Anyone with an account at the library could exploit this.

PreviousBreaking GraphQL Presentation

Last updated 10 months ago

Was this helpful?