# Springshare LibApps Stored XSS

When conducting a test for a Bug Bounty program that I like I was testing a SaaS app from Springshare that was in scope. When doing my standard test for XSS in a discussion page it offered I got a hit. It had no filter or WAF so it was as simple as putting:

```
<script>alert("test for BB")</script>
```

This payload worked in both the body of the discussion post as well as the title and was executed whenever someone visited the discussion page, as it is a stored XSS.

See photo evidence here:

<figure><img src="https://1987229882-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuSROL4SI6SkTn8EwsIii%2Fuploads%2Fm2A5vvypS1zabbOKOBI0%2FSpringShareXSSDiscussion.PNG?alt=media&#x26;token=6131e687-d4b3-40af-81ab-ffdc83a508cf" alt=""><figcaption></figcaption></figure>

This has been submitted to Springshare and has also been reported to MITRE for a CVE identifier.

This software is used by over a thousand libraries around the world and could severely impact them if exploited by a threat actor, which could be anyone with how easy it is. Anyone with an account at the library could exploit this.