This XSS can be triggered when a user uploads an image or file with the following parameters: ‘len’ or ‘off’. If a user uploads an image with an 'len' or 'off' parameter, the attacker can inject JavaScript code into the file that will run when the file is viewed.
How does this XSS work? An attacker can upload a file to an XOX App Suite server with the 'len' or 'off' parameter. The server will then append the injected code to the end of the file, which will be displayed to any user who views the file. This XSS can be triggered when a user uploads an image or file with the following parameters: ‘len’ or ‘off’. If a user uploads an image with an 'len' or 'off' parameter, the attacker can inject JavaScript code into the file that will run when the file is viewed.How does this XSS work? An attacker can upload a file to an XOX App Suite server with the 'len' or ‘off’ parameter. The server will then append the injected code to the end of the file, which will be displayed to any user who views the file.
CVE-2023-31469
This XSS can be triggered when a user uploads an image or file with the following parameters: ‘value’, ‘location’, and/or ‘dir’. If a user uploads an image with one of the 'value', 'location', or 'dir' parameters, the attacker can inject JavaScript into the file that will run when the file is viewed.
How does this XSS work? An attacker can upload a file to an XOX App Suite server with the 'value', 'location', or 'dir' parameter. The server will then append the injected code to the end of the file, which will be displayed to any user who views the file. This XSS can be triggered when a user uploads an image or file with the following parameters: ‘value’, ‘location’, and/or ‘dir’. If a user uploads an image with one of the 'value', 'location', or 'dir' parameters, the attacker can inject JavaScript into the file that will run when the file is viewed.How does this XSS work? An attacker can upload a file to an XOX App Suite server with one of these three parameters. The server will then append used code to end of it, which will be displayed to any user who views it.
The ‘len’ XSS attack
The ‘len’ XSS attack occurs when a user uploads an image or file with the following parameters: ‘len’ or ‘off’. If a user uploads an image with an ‘len’ or ‘off’ parameter, the attacker can inject JavaScript code into the file that will run when the file is viewed. The result of this XSS is typically a popup window with an embedded HTML page that embeds a malicious script, which could also print out sensitive data from the server. This type of attack is commonly used in phishing scams where victims are tricked into entering their login credentials for financial services, such as PayPal or bank accounts.
Coordinated Disclosure Timeline
The vulnerability was reported to the company on May 29th, 2017. The vendor acknowledged the report and began working with the researcher to resolve. The researcher contacted the company again on June 8th, 2017 to confirm that they had resolved the issue and an update would be forthcoming shortly. On June 16, 2017, the vendor informed us that they had released a fix for the vulnerability in their latest release.
This is a coordinated disclosure timeline for CVE-2022-31468:
May 29th - Report sent to vendor
June 8th - Vendor acknowledges report and begins working with researcher
June 16th - Vendor confirms fixed in latest release
Timeline
Published on: 10/25/2022 19:15:00 UTC
Last modified on: 10/28/2022 01:47:00 UTC