Closed
Description
Describe the bug
Suggested description of the vulnerability
: A stored cross-site scripting (XSS) vulnerability in the 'Add Asset' page of Screenly-OSE allows a remote attacker to introduce arbitary Javascript via manipulation of a 'URL' filed.
Attack vector(s)

1. Press the 'Add Asset' button in the upper right corner.

2. Enter https://www.google.com/?<img src=xss onerror=alert(document.domain)> in the 'Asset URL' field.

3. When accessing the main page ('Schedule Overview' menu), arbitrary code is executed.
(The same vulnerability occurs when uploading to a file other than a URL.)
Affected URL/API(s)
/api/v1.2/assets
Environment
- Raspberry Pi Hardware Version: Model 3B+ Revision: 1.3 Ram: 1 GB Sony UK
- Screenly OSE Version: 2019-09-25-Screenly-OSE-lite.img