CVE-2024-37629: Simple XSS Payload Exploits 0day Vulnerability in 10,000 Web Apps
The Power of Simplicity: A Bug Bounty Tale with Big Results
Late one night, after working on a couple of bug bounty platforms, I decided to revisit a CVE I found last month. I realized that the web application had implemented the Summernote WYSIWYG Editor, which was the root cause of the stored XSS vulnerabilities due to a failed implementation. With that in mind, I decided to examine the WYSIWYG Editor itself, considering the historical vulnerabilities tied to other editors like CKEditor and TinyMCE, which are known to suffer from similar issues.
This led me to the SummerNote website, where they have implemented their WYSIWYG editor on the front page for visitors to demo its functionality. They also linked to the GitHub repo, allowing me to review the codebase if needed during my hacking attempts. My goal for the night was to find an XSS vulnerability in the editor.
Given my previous experience with other WYSIWYG editors, my first instinct was to test the Code View function of the editor. This function allows users to style their input using HTML elements. I decided to see how the WYSIWYG editor handled "malicious" input by providing the following XSS payload:
<details/open/ontoggle=prompt(origin)>
After I set my payload, I clicked on the </>
button to disable the Code View functionality to see if the editor processed and executed my payload. To my surprise, I received an alert box, confirming that the XSS payload and vector were valid!
Further investigation confirmed that this WYSIWYG editor is used in over 10,000 web applications, according to the technology analytics I found. This turned out to be my most significant CVE discovery to date. This serves as a lesson for new hackers: keeping exploitation and payload creation simple can be more effective than you might expect.
Until next time my fellow hackers!