CVE-2021-30146 PoC — Seafile 跨站脚本漏洞

Source

https://github.com/Security-AVS/CVE-2021-30146

Associated Vulnerability

Title:Seafile 跨站脚本漏洞 (CVE-2021-30146)
Description:海文互知网络技术 Seafile是海文互知网络技术公司的一款开源的企业云盘。该产品具有Markdown WYSIWYG编辑，Wiki，文件标签等功能。 Seafile 7.0.5 (2019) 存在跨站脚本漏洞，该漏洞允许通过“共享库功能”实现持久的XSS。

Description

Seafile 7.0.5 Persistent XSS

Readme

# CVE-2021-30146
Seafile 7.0.5 Persistent XSS

[Suggested description]: Application (Server Version: 7.0.5 Seafile) is vulnerable to Persistent XSS via share library functionality. 

[Additional Information]: Seafile is an open source, self-hosted file sync and share solution with high performance and reliability. 

[Vulnerability Type]: Cross Site Scripting (XSS)

[Vendor of Product]: https://www.seafile.com/en/home/

A letter was sent to the vendor about the vulnerability.

[Attack Type]: Remote

[Attack Vectors]: Attacker with local account has ability to share specially created library with malicious JavaScript code to other users. Malicious JavaScript code is executed via notification message in victim account. Attacker can attack all users in application via single try.

[Discovered]: Alexander Semenenko

[Reference]: https://www.seafile.com/

[Proof of Concept]:

![alt text](https://github.com/Security-AVS/CVE-2021-30146/blob/main/Persistent%20XSS.png)

File Snapshot


 [4.0K]  /data/pocs/81012ae6d6ab2dc91b9c1559d5176797c53bbc09
├── [ 48K]  Persistent XSS.png
└── [ 974]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!