You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is a cross-site scripting (XSS) vulnerability in the Knowledge Repo 0.7.4 (other versions may be affected as well) which allows remote attackers to inject arbitrary JavaScript via post comments functionality.
<script>alert("Client side attacks is possible here!");</script>
Impact: An unauthenticated evil user can leverage the vulnerability to conduct various types of client side attacks, for example, conducting a browser mining, redirecting users to malicious sites or hijacking the user’s browser using malware.
As an irrefutable evidence please take a look at the attached screen-shot.
Auto-reviewers: @NiharikaRay @matthewwardrop @earthmancash @danfrankj
Hello, guys!
There is a cross-site scripting (XSS) vulnerability in the Knowledge Repo 0.7.4 (other versions may be affected as well) which allows remote attackers to inject arbitrary JavaScript via post comments functionality.
Steps to reproduce:
<script>alert("Client side attacks is possible here!");</script>Just open any post like this https://site.com/post/posts/new_report.kp
and add the following code as a comment/PoC:
Impact: An unauthenticated evil user can leverage the vulnerability to conduct various types of client side attacks, for example, conducting a browser mining, redirecting users to malicious sites or hijacking the user’s browser using malware.
As an irrefutable evidence please take a look at the attached screen-shot.
Mitigation: Details on how to prevent XSS can be found here: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
PoC:
![xss](https://user-images.githubusercontent.com/6551435/41200588-f832ab3c-6caf-11e8-9f4f-117d153a5473.png)
The text was updated successfully, but these errors were encountered: