CVE-2022-0938: Stored XSS via file upload in showdoc

Description

Hello Team,

This is a bypass to the report in https://huntr.dev/bounties/6127739d-f4f2-44cd-ae3d-e3ccb7f0d7b5/.
The upload feature allows the files with the extension .xxhtml which leads to Stored XSS.

Proof of Concept

filename="poc.xxhtml"

<script>alert(1)</script>

Steps to Reproduce

1.Login into showdoc.com.cn.
2.Navigate to file library (https://www.showdoc.com.cn/attachment/index)
3.In the File Library page, click the Upload button and choose the poc.xxhtml
4.After uploading the file, click on the check button to open that file in a new tab.

XSS will trigger when the attachment is opened in a new tab.

POC URL: https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=f79c619fb54bf22255af3797e25cfcfc

Impact

An attacker can perform social engineering on users by redirecting them from a real website to a fake one. a hacker can steal their cookies etc.