Cross Site Scripting (XSS) in the 'Project Name' field #584

Closed
FilipposM opened this Issue Dec 2, 2013 · 4 comments

Comments

Projects
None yet
2 participants

A stored Cross Site Scripting (XSS) discovered in the 'Project Name' field.

We have sent an email to you with the Proof Of Concept (PoC) too.

Owner

daeks commented Dec 2, 2013

didnt have received an email yet

We have already sent the email (dev@codiad.com)

We will post the vulnerability information here too:

If we put for example as Project Name the:
<script>alert("XSS Found!");</script>
we can see that our code will be stored and executed.

This popup alert will appear every time we trigger the Project Menu or
the Codiad loads the Project.

It seems that the input must be sanitized.

PoC/Screenshots:
01
02
03

Owner

daeks commented Dec 3, 2013

thanks for the poc, seems that the email was lost in my inbox, maybe @Fluidbyte has received it. Anyway, marked it as bug

@daeks daeks closed this Dec 5, 2013

@daeks daeks reopened this Dec 5, 2013

@daeks daeks referenced this issue Dec 11, 2013

Merged

Sec Patches #586

@daeks daeks closed this Jan 8, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment