Skip to content

Cross Site Scripting (Stored) vulnerability #1254

Closed
@aegisduck

Description

@aegisduck

Describe the bug

Suggested description of the vulnerability

: A stored cross-site scripting (XSS) vulnerability in the 'Add Asset' page of Screenly-OSE allows a remote attacker to introduce arbitary Javascript via manipulation of a 'URL' filed.

Attack vector(s)

1
 1. Press the 'Add Asset' button in the upper right corner.

2
 2. Enter https://www.google.com/?<img src=xss onerror=alert(document.domain)> in the 'Asset URL' field.

3
 3. When accessing the main page ('Schedule Overview' menu), arbitrary code is executed.
(The same vulnerability occurs when uploading to a file other than a URL.)

Affected URL/API(s)

/api/v1.2/assets

Environment

  • Raspberry Pi Hardware Version: Model 3B+ Revision: 1.3 Ram: 1 GB Sony UK
  • Screenly OSE Version: 2019-09-25-Screenly-OSE-lite.img

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions