You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
: A stored cross-site scripting (XSS) vulnerability in the 'Add Asset' page of Screenly-OSE allows a remote attacker to introduce arbitary Javascript via manipulation of a 'URL' filed.
Attack vector(s)
1. Press the 'Add Asset' button in the upper right corner.
2. Enter https://www.google.com/?<img src=xss onerror=alert(document.domain)> in the 'Asset URL' field.
3. When accessing the main page ('Schedule Overview' menu), arbitrary code is executed.
(The same vulnerability occurs when uploading to a file other than a URL.)
Affected URL/API(s)
/api/v1.2/assets
Environment
Raspberry Pi Hardware Version: Model 3B+ Revision: 1.3 Ram: 1 GB Sony UK
Screenly OSE Version: 2019-09-25-Screenly-OSE-lite.img
The text was updated successfully, but these errors were encountered:
Describe the bug
Suggested description of the vulnerability
: A stored cross-site scripting (XSS) vulnerability in the 'Add Asset' page of Screenly-OSE allows a remote attacker to introduce arbitary Javascript via manipulation of a 'URL' filed.
Attack vector(s)
1. Press the 'Add Asset' button in the upper right corner.
2. Enter
https://www.google.com/?<img src=xss onerror=alert(document.domain)>
in the 'Asset URL' field.3. When accessing the main page ('Schedule Overview' menu), arbitrary code is executed.
(The same vulnerability occurs when uploading to a file other than a URL.)
Affected URL/API(s)
/api/v1.2/assets
Environment
The text was updated successfully, but these errors were encountered: