You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
1. Test environment
The testing environment is Windows 10 Home Chinese version
The version is as follows:
Test version: dootask demonstration environment; dootask v0.30.13
2. Vulnerability Description
dooTask is a lightweight open source online project task management tool that provides various document collaboration tools, online mind maps, online flowcharts, project management, task distribution, real-time IM, file management, and more.
dooTask v0.30.13 and below have a cross site scripting vulnerability. The vulnerability stems from the lack of effective filtering and escape of user provided data by the application, and the system provides file upload and online preview functions. Attackers can exploit this vulnerability by injecting carefully designed payloads to execute arbitrary web scripts or HTML.
3. POC
3.1 Function points
File - Upload File - Click to View
3.2 XSS vulnerability hazards
After a successful attack using XSS code, malicious users may gain high privileges. XSS vulnerabilities mainly pose the following hazards:
(1) Stealing various user accounts;
(2) Stealing user cookie information and impersonating the user's identity to enter the website;
(3) Hijacking user sessions and performing arbitrary operations; Refers to operating the user's browser:
(4) Streaming display, executing commercial advertisements:
(5) Spread worms.
and so on
3.3 POC process
We first write the following code into a text file, and then modify the file suffix name to pdf, where we name it joy. pdf. The following code can execute XSS attacks, and when the attack is successfully executed, the user will receive an XSS pop-up window. Afterwards, upload the file to the system through the function points and view it.
It is recommended not to enable the online viewing function of PDF and HTML. Click to directly view the source file
Update PDF Reader: Update the version of the PDF reader in a timely manner to obtain the latest security fixes and vulnerability patches.
Restrict the source of PDF files: Download PDF files only from trusted sources to avoid downloading and opening unknown or suspicious PDF files.
Use security reader plugins: Install some security reader plugins that can provide additional security protection and vulnerability detection functions.
Regular review of PDF files: Regularly review downloaded PDF files and delete files that may contain malicious script code.
The text was updated successfully, but these errors were encountered:
1. Test environment
The testing environment is Windows 10 Home Chinese version
The version is as follows:
Test version: dootask demonstration environment; dootask v0.30.13
2. Vulnerability Description
dooTask is a lightweight open source online project task management tool that provides various document collaboration tools, online mind maps, online flowcharts, project management, task distribution, real-time IM, file management, and more.
dooTask v0.30.13 and below have a cross site scripting vulnerability. The vulnerability stems from the lack of effective filtering and escape of user provided data by the application, and the system provides file upload and online preview functions. Attackers can exploit this vulnerability by injecting carefully designed payloads to execute arbitrary web scripts or HTML.
3. POC
3.1 Function points
File - Upload File - Click to View
3.2 XSS vulnerability hazards
After a successful attack using XSS code, malicious users may gain high privileges. XSS vulnerabilities mainly pose the following hazards:
(1) Stealing various user accounts;
(2) Stealing user cookie information and impersonating the user's identity to enter the website;
(3) Hijacking user sessions and performing arbitrary operations; Refers to operating the user's browser:
(4) Streaming display, executing commercial advertisements:
(5) Spread worms.
and so on
3.3 POC process
We first write the following code into a text file, and then modify the file suffix name to pdf, where we name it joy. pdf. The following code can execute XSS attacks, and when the attack is successfully executed, the user will receive an XSS pop-up window. Afterwards, upload the file to the system through the function points and view it.
3.4 POC results
4. Repair plan
The text was updated successfully, but these errors were encountered: