You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It can be triggered by executing a request with title set to <img src=x onerror=evil_code> and downloadToken set to e.g. 1.
The malicious payload <img src=x onerror=evil_code> will then be injected in the returned HTML-page and sent to user. This will cause evil_code to get executed in user's browser.
This is a serious security issue and i would advise you to fix it ASAP. A possible fix is fairly easy, change the faulty line to:
This will fix the XSS problem and will not harm in legit usecases.
Please note that i am not a regular contributor to your project. I found the bug while testing DeepCode’s AI Code Review. The tool can help you automate the process of finding such (and many other types of) bugs. You can sign-up your repo (free for Open Source) to receive notifications whenever new bugs are detected. You can give it a try here.
Hello,
I noticed a Cross-Site Scripting (XSS) Vulnerability in line
dataviva-site/dataviva/apps/embed/views.py
Line 432 in 5bb4dac
It can be triggered by executing a request with
title
set to<img src=x onerror=evil_code>
anddownloadToken
set to e.g.1
.The malicious payload
<img src=x onerror=evil_code>
will then be injected in the returned HTML-page and sent to user. This will causeevil_code
to get executed in user's browser.This is a serious security issue and i would advise you to fix it ASAP. A possible fix is fairly easy, change the faulty line to:
return "/static/downloads/" + flask.escape(filenameDownload) + ".zip"
This will fix the XSS problem and will not harm in legit usecases.
Please note that i am not a regular contributor to your project. I found the bug while testing DeepCode’s AI Code Review. The tool can help you automate the process of finding such (and many other types of) bugs. You can sign-up your repo (free for Open Source) to receive notifications whenever new bugs are detected. You can give it a try here.
Any feedback is more than welcome at chibo@deepcode.ai.
Cheers, Victor.
The text was updated successfully, but these errors were encountered: