Springshare LibApps Stored XSS

Springshare LibApps authenticated Stored XSS in discussions.php

When conducting a test for a Bug Bounty program that I like I was testing a SaaS app from Springshare that was in scope. When doing my standard test for XSS in a discussion page it offered I got a hit. It had no filter or WAF so it was as simple as putting:

<script>alert("test for BB")</script>

This payload worked in both the body of the discussion post as well as the title and was executed whenever someone visited the discussion page, as it is a stored XSS.

See photo evidence here:

This has been submitted to Springshare and has also been reported to MITRE for a CVE identifier.

This software is used by over a thousand libraries around the world and could severely impact them if exploited by a threat actor, which could be anyone with how easy it is. Anyone with an account at the library could exploit this.

PreviousBreaking GraphQL Presentation

Last updated 7 months ago