Cross-site Scripting (XSS) - Stored in requarks/wiki


Reported on

Dec 20th 2021


Stored XSS can be performed by malicious XML / HTM files. There is no check in place to prevent such files from being uploaded.

Proof of Concept 1 (XML)

1: Upload the following file as payload.xml:

                <something:script xmlns:something="">alert(1)</something:script>
                <a:script xmlns:a="">alert(2)</a:script>

Proof of Concept 2 (HTM)

2: Upload the following file as payload.htm:



This vulnerability is capable of XSS via malicious XML / HTM files

Recommended Fix

Only allow image file uploads (png / html / webp / svg [sanitize this one properly!])

If filetype restriction unallowed, I strongly suggest you opt for Content-Disposition method. As there are many dangerous file types which can be uploaded. I recommend:

  • For select files ( .png, .jpg, .svg (after sanitization) .pdf, .gif ... etc):

  • Use the Content-Disposition: inline header so that they can be viewed in the browser.

  • If the file extension does not match a safe file type

  • Use the Content-Disposition: attachments header so that they are directly downloaded to user computers instead.


Alternative Fix: Serve Content-Disposition: "inline" for a selected filetypes deemed safe and the rest Content-Disposition: "attachments"

We are processing your report and will contact the requarks/wiki team within 24 hours. 2 years ago
haxatron modified the report
2 years ago
haxatron modified the report
2 years ago
We have contacted a member of the requarks/wiki team and are waiting to hear back 2 years ago
haxatron modified the report
2 years ago
We have sent a follow up to the requarks/wiki team. We will try again in 7 days. 2 years ago
Nicolas Giard validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nicolas Giard marked this as fixed in 2.5.264 with commit 79bdd4 2 years ago
Nicolas Giard has been awarded the fix bounty
This vulnerability will not receive a CVE
assets.js#L163L220 has been validated
to join this conversation