πŸ”’
theB10G
  • ⁉️Welcome/whoami
  • πŸ‘¨β€πŸ”¬Malware Analyst for a day
  • πŸ“§Spooky Scammers (Back for the holidays)
  • πŸ’°Hacking the Scammers
  • πŸ’°Systematic Destruction (Hacking the Scammers pt. 2)
  • πŸ€΅β€β™‚οΈSQL Injection in Security Cleared Job Site
  • ↩️XSS Security Policy Bypass
  • πŸ“ŠCraft CMS Unauthenticated SQLi via GraphQL
  • πŸ₯MISI Hack the Building 2.0 Hospital Edition
  • πŸ“”Booked v2.5.5/LabArchives Scheduler Vulnerability
  • πŸ΄β€β˜ οΈCTF Writ3ups
  • πŸͺ–ARCENT Best Cyber Warrior 2023
  • πŸ’΅Bounty Hunter Writeup
  • πŸͺ„Previse Writeup
  • πŸ‘ΎeJPT certification Review
  • πŸ”₯Sauna Writeup
  • πŸƒβ€β™‚οΈActive Writeup
  • 🚘Driver Writeup
  • ❌Trick Writeup
  • πŸ“ŠGraphQL Query Authentication Bypass Vuln
  • πŸ•ΈοΈeWPT Certification Review
  • β˜€οΈ2022 DOE Cyberforce Competition
  • ⛏️Data Mining CVEs and Exploits
  • πŸ’»eCPPTv2 Certification Review
  • Breaking GraphQL Presentation
  • Springshare LibApps Stored XSS
Powered by GitBook
On this page

Was this helpful?

Springshare LibApps Stored XSS

Springshare LibApps authenticated Stored XSS in discussions.php

PreviousBreaking GraphQL Presentation

Last updated 1 year ago

Was this helpful?

When conducting a test for a Bug Bounty program that I like I was testing a SaaS app from Springshare that was in scope. When doing my standard test for XSS in a discussion page it offered I got a hit. It had no filter or WAF so it was as simple as putting:

<script>alert("test for BB")</script>

This payload worked in both the body of the discussion post as well as the title and was executed whenever someone visited the discussion page, as it is a stored XSS.

See photo evidence here:

This has been submitted to Springshare and has also been reported to MITRE for a CVE identifier.

This software is used by over a thousand libraries around the world and could severely impact them if exploited by a threat actor, which could be anyone with how easy it is. Anyone with an account at the library could exploit this.