Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID? What is an MSC vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: June 22, 2022
OverviewIn openlibrary versions deploy-2016-07-0 through deploy-2021-12-22 are vulnerable to Stored XSS.
DetailsIn openlibrary versions deploy-2016-07-0 through deploy-2021-12-22 are vulnerable to Stored XSS where
a malicious user can save a malicious script while creating a new book.
When the victim user navigates to recent community edits and edit the book XSS will be triggered.
PoC Details1. Login to the application with an admin user. (usually the URL will be: http://localhost:8080/)
2. Navigate to “More” options and click on “Add a Book”. Then fill up all the input fields and create a book.
3. Navigate to “work details” and insert the XSS payload in the text editor ("How would you describe this book") and click on save.
4. Navigate to private window and login with admin privileged user credentials .
5. Navigate to “Recent community edits” from more section and click on the recent post.
6. Now click on “Edit” and XSS will be triggered when the work details page will be displayed.
<img src=1 onerror=prompt(document.cookie)>
Affected Environmentsopenlibrary versions deploy-2016-07-0 through deploy-2021-12-22
PreventionUpgrade to openlibrary version deploy-2022-06-09
Good to know:
|Attack Vector (AV):||Network|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||Low|
|User Interaction (UI):||Required|
|Access Vector (AV):||Network|
|Access Complexity (AC):||Medium|