Headline
CVE-2022-44953: Stored Cross Site Scripting Vulnerability Bypass filter on "Files" feature in webtareas 2.4p5 · Issue #8 · anhdq201/webtareas
webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /linkedcontent/listfiles.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field after clicking "Add".
Version: 2.4p5****Description
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the “Files” feature.
Proof of Concept******Step 1: Go to "/linkedcontent/listfiles.php?doc_type=0&id=0", click “Add” and insert payload “<details/open/ontoggle=alert(document.cookie)>” in “Name” field.**********Step 2:** Alert XSS Message********Impact**
If an attacker can control a script that is executed in the victim’s browser, then they can typically fully compromise that user.