Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix: Reflected XSS Vulnerability in login after-action script #5461

Merged
merged 1 commit into from Oct 24, 2019
Merged

Fix: Reflected XSS Vulnerability in login after-action script #5461

merged 1 commit into from Oct 24, 2019

Conversation

NSTikhomirov
Copy link
Contributor

If pass javascript:alert(1);// to redirect param in login action, victim can execute javascript code after login.
This patch fixes this vulnerability by redirecting the user to the self-origin site only.
POC:
https://preview.pro.ant.design/user/login?redirect=javascript:alert(1);//
image

@auto-add-label auto-add-label bot added the FIX label Oct 21, 2019
@netlify
Copy link

netlify bot commented Oct 21, 2019

Deploy preview for ant-design-pro ready!

Built with commit 96315d9

https://deploy-preview-5461--ant-design-pro.netlify.com

@chenshuai2144 chenshuai2144 changed the title FIX: Reflected XSS Vulnerability in login after-action script Fix: Reflected XSS Vulnerability in login after-action script Oct 22, 2019
@NSTikhomirov
Copy link
Contributor Author

CVE-2019-18350

@afc163 afc163 merged commit 840034c into ant-design:master Oct 24, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants