Enviar #609063: Zavy86 WikiDocs 1.0.77 Cross Site Scriptinginformación

TítuloZavy86 WikiDocs 1.0.77 Cross Site Scripting
DescripciónHi, I'm a security researcher building my CVE portfolio. I found a reflected XSS on the WikiDocs home page. WikiDocs fails to HTML-escape the path portion of inbound requests before echoing it back into the home page. An attacker can craft a link that, when visited, executes arbitrary JavaScript in the context of the victim's session (reflected XSS). Proof of concept http://127.0.0.1/"><script>alert(42)</script> http://127.0.0.1/%22%3E%3Cscript%3Ealert(1)%3C/script%3E Path input should be HTML-escaped (e.g., htmlspecialchars($path, ENT_QUOTES, 'UTF-8')) so injected markup cannot run. Application Setup: docker run -d -p 80:80 zavy86/wikidocs # public demo https://demo.wikidocs.app/%22%3E%3Cscript%3Ealert(1)%3C/script%3E https://demo.wikidocs.app/%22%3E%3Cscript%3Ealert(1)%3C/script%3E References: https://github.com/Zavy86/WikiDocs/issues/256 Credits Discovered by Matan Sandori
Usuario
 MatanS (UID 86894)
Sumisión2025-07-04 08:46 (hace 12 meses)
Moderación2025-07-19 10:15 (15 days later)
EstadoAceptado
Entrada de VulDB317002 [Zavy86 WikiDocs hasta 1.0.78 template.inc.php path secuencias de comandos en sitios cruzados]
Puntos17

AnteriorVisión De ConjuntoPróximo

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!