Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix multiple XSS issues in User Management page #1547

Merged
merged 1 commit into from Aug 24, 2019

Conversation

dmaciejak
Copy link
Collaborator

If the user name is embedding some JS code, it will be executed on the client side. Note: gophish/static/js/dist/app/users.min.js will need to be regenerated too.

If the user name is embedding some JS code, it will be executed on the client side. Note: gophish/static/js/dist/app/users.min.js will need to be regenerated too.
@dmaciejak dmaciejak changed the title Fix multiple XSS issues Fix multiple XSS issues in User Management page Aug 20, 2019
@jordan-wright
Copy link
Collaborator

LGTM - thanks! I don't know why I presumed that template literals would escape the variable contents. Great catch!

Just to make sure I'm not missing anything here, this seems like a self-stored XSS, in that only admins can create users, and only admins can view this user management page, right?

@jordan-wright jordan-wright merged commit 24fe998 into gophish:master Aug 24, 2019
@dmaciejak
Copy link
Collaborator Author

From my test I would say 'yes' only the user management page is affected. When authenticated as a malicious user name, the Account Settings page is not triggering the XSS.

@dmaciejak dmaciejak deleted the patch-2 branch September 7, 2019 04:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants