Xmind 2020 Cross-Site Scripting Vulnerability Leading to Remote Code Execution

A cross-site scripting vulnerability has been identified in Xmind 2020, allowing attackers to inject malicious JavaScript payloads into mind mapping files or custom headers. When these files are opened, the embedded scripts can execute system commands, potentially leading to remote code execution. This exploitation can occur through mouse interactions or by simply opening the manipulated files.

Impact

Exploitation of this vulnerability allows for cross-site scripting, with the injected scripts executing in the context of the user.

Reproduction

To reproduce this vulnerability, create a mind mapping file and inject a JavaScript payload into a custom header or the file's content. Once the file is saved and opened in Xmind 2020, the payload will execute, performing the actions specified in the injected script. This can include executing system commands or other malicious activities, depending on the nature of the payload.