Sync iCloud COS < 2.0.1 – Admin+ Stored Cross-Site Scripting | CVE 2022-0659

Description

The plugin does not escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Put the following payload in the 本地文件夹 or URL前缀 settings of the plugin: " style=animation-name:rotation onanimationstart=alert(/XSS/) b=

Affects Plugins

sync-qcloud-cos

Fixed in 2.0.1

References

CVE

CVE-2022-0659

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.4 (low)

Miscellaneous

Original Researcher

fuzzyap1

Submitter

fuzzyap1

Verified

Yes

WPVDB ID

22dc2661-ba64-49e7-af65-892a617ab02c

Timeline

Publicly Published

2022-02-17 (about 2 years ago)

Added

2022-02-17 (about 2 years ago)

Last Updated

2022-04-13 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

Xorbin Digital Flash Clock 1.0 - Flash-based XSS

Published

2014-08-01

Title

Social Connect 0.10.1 - diagnostics/test.php testing Parameter Reflected XSS

Published

2023-11-15

Title

Daily Prayer Time < 2023.10.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Published

2023-01-18

Title

Lightbox Gallery < 0.9.5 - Contributor+ Stored XSS via Shortcode

Published

2023-12-22

Title

Sensei LMS < 4.18.0 - Contributor+ Stored XSS