Cross Site Scripting (Stored) vulnerability #1254

aegisduck · 2019-11-12T11:55:32Z

Describe the bug

Suggested description of the vulnerability

: A stored cross-site scripting (XSS) vulnerability in the 'Add Asset' page of Screenly-OSE allows a remote attacker to introduce arbitary Javascript via manipulation of a 'URL' filed.

Attack vector(s)

　1. Press the 'Add Asset' button in the upper right corner.

　2. Enter https://www.google.com/?<img src=xss onerror=alert(document.domain)> in the 'Asset URL' field.

　3. When accessing the main page ('Schedule Overview' menu), arbitrary code is executed.
(The same vulnerability occurs when uploading to a file other than a URL.)

Affected URL/API(s)

/api/v1.2/assets

Environment

Raspberry Pi Hardware Version: Model 3B+ Revision: 1.3 Ram: 1 GB Sony UK
Screenly OSE Version: 2019-09-25-Screenly-OSE-lite.img

The text was updated successfully, but these errors were encountered:

vpetersson · 2019-11-12T11:57:34Z

Good find! Adding this to the next sprint.

vpetersson added the security label Nov 12, 2019

vpetersson added this to To do in Sprint 12 (upcoming) via automation Nov 12, 2019

rusko124 mentioned this issue Nov 27, 2019

Edit: XSS escaping #1273

Merged

vpetersson closed this as completed Nov 27, 2019

Sprint 12 (upcoming) automation moved this from To do to Done Nov 27, 2019

rusko124 mentioned this issue Dec 5, 2019

URI of Asstes get´s encoded wrong #1275

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cross Site Scripting (Stored) vulnerability #1254

Cross Site Scripting (Stored) vulnerability #1254

aegisduck commented Nov 12, 2019

vpetersson commented Nov 12, 2019

Cross Site Scripting (Stored) vulnerability #1254

Cross Site Scripting (Stored) vulnerability #1254

Comments

aegisduck commented Nov 12, 2019

Describe the bug

Suggested description of the vulnerability

Attack vector(s)

Affected URL/API(s)

Environment

vpetersson commented Nov 12, 2019