PeteReport Version 0.5 allows an authenticated admin user to inject persistent javascript code inside the markdown descriptions while creating a product, report or finding.
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSSv3 Base Score:
4.8
Steps to reproduce
Click on 'Add Product'.
Insert the following PoC inside the product description.
[XSS](javascript:alert(1))
Click on 'Save Product'
If a user visits the product and click on the link in the description the Javascript code will be rendered.
Screenshots and files
System Information
Version: PeteReport Version 0.5.
Operating System: Docker.
Web Server: nginx.
The text was updated successfully, but these errors were encountered:
@alestorm980 Thank you, that happen to me to trust in markdown 🗡️ . Should be fixed in the last commit, take a look and let me know if do you find more issues.
Hi I am a security researcher at Fluid Attacks, our security team found a security issue inside PeteReport version 0.5.
Attached below are the links to our responsible disclosure policy.
Bug description
PeteReport Version 0.5 allows an authenticated admin user to inject persistent javascript code inside the markdown descriptions while creating a product, report or finding.
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSSv3 Base Score:
4.8
Steps to reproduce
Screenshots and files
System Information
The text was updated successfully, but these errors were encountered: