CVE-2022-40317
MEDIUMOpenKM 6.3.11 - Stored Cross-Site Scripting via JavaScript URI in Anchor Element
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2022-40317. PoCs published by izdiwho.
AI-analyzed exploit summary The repository describes a stored XSS vulnerability in OpenKM Community Edition 6.3.11, where the 'javascript:' bypass in an <a> tag evades sanitization. The payload `<a href='javascript:alert(1)'>Click here for more info</a>` demonstrates the issue, requiring user interaction to trigger.
Description
OpenKM 6.3.11 allows stored XSS related to the javascript: substring in an A element.
Exploits (1)
The repository describes a stored XSS vulnerability in OpenKM Community Edition 6.3.11, where the 'javascript:' bypass in an <a> tag evades sanitization. The payload `<a href='javascript:alert(1)'>Click here for more info</a>` demonstrates the issue, requiring user interaction to trigger.
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N