CVE-2022-26197: PoC A Stored Cross-Site Scripting (XSS) vulnerability in Joget DX 7 - Datalist table (CVE-2022-26197)

PoC A Stored Cross-Site Scripting (XSS) vulnerability in Joget DX 7 - Datalist table (CVE-2022-26197)

[Product Description]

Joget DX is an open source platform to easily build enterprise web apps for cloud and mobile.

[Details]

The data table generated via the Datalist table module was vulnerable to A Stored Cross-Site Scripting (XSS) vulnerability. In case that the application allows user submit the input to be displayed on this table, the input data will be collected. Then the Joget DX will display the collected data without escaping and let it to be executed on the browser (for Javascript data).

[Impact]

Running malicious web script or HTML script on victim’s web browser.

[Affected component]

Joget DX 7

[Attack Type]

Remote

[PoC]

1. Submit <a href="javascript:x=’%27-alert(1)-%27’;">XSS</a> to a form (that will displayed on the Datalist table) on the website generated by Joget DX.

2. Click the “XSS” link to trigger the javascript.