Stored Cross-site scripting affecting automad/automad
Low severity
GitHub Reviewed
Published
Dec 21, 2023
to the GitHub Advisory Database
•
Updated Dec 29, 2023
Description
Published by the National Vulnerability Database
Dec 21, 2023
Published to the GitHub Advisory Database
Dec 21, 2023
Reviewed
Dec 29, 2023
Last updated
Dec 29, 2023
automad up to 1.10.9 is vulnerable to stored cross-site scripting in the
sitename
argument because theSharedController
class that handles form data and saving shared information does not properly sanitize the user input on the client side when rendering the data. The attack may be launched remotely and an exploit has been disclosed publicly.References