marcusramberg
published
GHSA-xmpj-xwm3-vww7Jan 4, 2022
Package
Convos.pm
(Perl)
Affected versions
6.51, 6.50, 6.49
Patched versions
6.52
Description
Summary
The Convos is an open source multi-user chat that runs in a web browser. Characters starting with "https://" in the chat window create tag. Stored XSS vulnerability using onfocus and autofocus occurs because escaping exists for "<" or ">" but escaping for double quarter does not exist.
Impact
Through this vulnerability, an attacker is capable to execute malicious scripts.
Summary
The Convos is an open source multi-user chat that runs in a web browser. Characters starting with "https://" in the chat window create tag. Stored XSS vulnerability using onfocus and autofocus occurs because escaping exists for "<" or ">" but escaping for double quarter does not exist.
Impact
Through this vulnerability, an attacker is capable to execute malicious scripts.
Patches
86b2193
References