Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Cross Site Scripting (XSS) in the 'Project Name' field #584

Closed
FilipposM opened this Issue · 4 comments

2 participants

@FilipposM

A stored Cross Site Scripting (XSS) discovered in the 'Project Name' field.

We have sent an email to you with the Proof Of Concept (PoC) too.

@daeks
Owner

didnt have received an email yet

@FilipposM

We have already sent the email (dev@codiad.com)

@FilipposM

We will post the vulnerability information here too:

If we put for example as Project Name the:
<script>alert("XSS Found!");</script>
we can see that our code will be stored and executed.

This popup alert will appear every time we trigger the Project Menu or
the Codiad loads the Project.

It seems that the input must be sanitized.

PoC/Screenshots:
01
02
03

@daeks
Owner

thanks for the poc, seems that the email was lost in my inbox, maybe @Fluidbyte has received it. Anyway, marked it as bug

@daeks daeks closed this
@daeks daeks reopened this
@daeks daeks referenced this issue
Merged

Sec Patches #586

@daeks daeks closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.