Reflected XSS Vulnerability at `_detail/?lang` parameter in splitbrain/dokuwiki-plugin-translation
Reported on
May 27th 2023
Description
Reflected XSS vulnerability allows attackers to exploit the trust placed by a web application in user-supplied input, such as query parameters or form fields. In this case, the vulnerability was found in the following URL:
https://www.dokuwiki.org/_detail/?lang=1"><script>alert(document.domain)</script>
Proof of Concept
https://drive.google.com/file/d/12Sy7f2bryyfW94WiAtIP9P-mQHG0FwK0/view?usp=sharing
Impact
If successfully exploited, this vulnerability could lead to several adverse consequences, including:
Theft of sensitive information: An attacker could leverage the vulnerability to trick users into submitting their sensitive information, such as login credentials, which could then be intercepted and misused.
Malicious actions on behalf of the user: By injecting malicious code, an attacker could manipulate the victim's browser session, leading to unauthorized actions being performed on behalf of the user, potentially compromising the entire system.
Since this is already fixed, there is no sense in resubmitting this.
@admin @ mainatainer , That was my report marked as informative, I just want my credit, As per admin instruction I resubmitted the report at correct repo. you can see it in previous report. How can you mark it as spam.
@admin please mark this as a valid report.
The recommendation to re-report was my own suggestion and I apologise for the confusion caused. Your reputation has been reset and you have been rewarded +7 reputation for the validity.
If the maintainer could please mark as fixed with the required information or if you have the fix commit SHA available as well as the fixed version we can do so manually.
Thanks!
Thank you @admin
Fix Commit: https://github.com/splitbrain/dokuwiki-plugin-translation/commit/6a15d70a4206638c5a47920004632d5bb5abea89
As this is marked as valid. Can I get CVE? @maintainer?