You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Cross-site scripting (XSS) vulnerability in RaspAP-webgui v1.3.1 allow remote attackers (users) to inject arbitrary web script or HTML via the theme cookie.
Steps to reproduce
Login
Execute document.cookie = 'theme="><svg/onload=alert()>;path=/'; in your Javascript console
Now, each time you'll access to a RaspAP-webgui page, alert() will be triggered.
This vulnerability can be used, if an attacker finds another vulnerability to set arbitrary cookies to the user.
Expected behaviour
theme cookie needs to be filtered, before being returned in the page.
The text was updated successfully, but these errors were encountered:
D9ping
added a commit
to D9ping/raspap-webgui
that referenced
this issue
Jul 31, 2018
Subject of the issue
Cross-site scripting (XSS) vulnerability in RaspAP-webgui v1.3.1 allow remote attackers (users) to inject arbitrary web script or HTML via the theme cookie.
Steps to reproduce
document.cookie = 'theme="><svg/onload=alert()>;path=/';
in your Javascript consoleNow, each time you'll access to a RaspAP-webgui page,
alert()
will be triggered.This vulnerability can be used, if an attacker finds another vulnerability to set arbitrary cookies to the user.
Expected behaviour
theme cookie needs to be filtered, before being returned in the page.
The text was updated successfully, but these errors were encountered: