Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross Site Scripting (XSS) in the 'Project Name' field #584

Closed
FilipposM opened this issue Dec 2, 2013 · 4 comments
Closed

Cross Site Scripting (XSS) in the 'Project Name' field #584

FilipposM opened this issue Dec 2, 2013 · 4 comments
Labels

Comments

@FilipposM
Copy link

A stored Cross Site Scripting (XSS) discovered in the 'Project Name' field.

We have sent an email to you with the Proof Of Concept (PoC) too.

@daeks
Copy link
Member

daeks commented Dec 2, 2013

didnt have received an email yet

@FilipposM
Copy link
Author

We have already sent the email (dev@codiad.com)

@FilipposM
Copy link
Author

We will post the vulnerability information here too:

If we put for example as Project Name the:
<script>alert("XSS Found!");</script>
we can see that our code will be stored and executed.

This popup alert will appear every time we trigger the Project Menu or
the Codiad loads the Project.

It seems that the input must be sanitized.

PoC/Screenshots:
01
02
03

@daeks
Copy link
Member

daeks commented Dec 3, 2013

thanks for the poc, seems that the email was lost in my inbox, maybe @Fluidbyte has received it. Anyway, marked it as bug

@daeks daeks closed this as completed Dec 5, 2013
@daeks daeks reopened this Dec 5, 2013
@daeks daeks mentioned this issue Dec 11, 2013
@daeks daeks closed this as completed Jan 8, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants