Submit #609063: Zavy86 WikiDocs 1.0.77 Cross Site Scriptinginfo

Titel	Zavy86 WikiDocs 1.0.77 Cross Site Scripting
Beschreibung	Hi, I'm a security researcher building my CVE portfolio. I found a reflected XSS on the WikiDocs home page. WikiDocs fails to HTML-escape the path portion of inbound requests before echoing it back into the home page. An attacker can craft a link that, when visited, executes arbitrary JavaScript in the context of the victim's session (reflected XSS). Proof of concept http://127.0.0.1/"><script>alert(42)</script> http://127.0.0.1/%22%3E%3Cscript%3Ealert(1)%3C/script%3E Path input should be HTML-escaped (e.g., htmlspecialchars($path, ENT_QUOTES, 'UTF-8')) so injected markup cannot run. Application Setup: docker run -d -p 80:80 zavy86/wikidocs # public demo https://demo.wikidocs.app/%22%3E%3Cscript%3Ealert(1)%3C/script%3E https://demo.wikidocs.app/%22%3E%3Cscript%3Ealert(1)%3C/script%3E References: https://github.com/Zavy86/WikiDocs/issues/256 Credits Discovered by Matan Sandori
Benutzer	MatanS (UID 86894)
Einreichung	04.07.2025 08:46 (vor 12 Monaten)
Moderieren	19.07.2025 10:15 (15 days later)
Status	Akzeptiert
VulDB Eintrag	317002 [Zavy86 WikiDocs bis 1.0.78 template.inc.php path Cross Site Scripting]
Punkte	17

Want to know what is going to be exploited?

We predict KEV entries!