New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURITY] Persistent Cross-Site Scripting (XSS) #9170

JavierOlmedo opened this Issue Sep 7, 2018 · 1 comment


None yet
2 participants

JavierOlmedo commented Sep 7, 2018


dashboard_name parameter is vulnerable to Persistent Cross-Site Scripting attacks through POST requests in /ajax_form.php resource.

This vulnerability, allow remote attackers to inject arbitrary web script or HTML.

Proof of concept (PoC)
Click in New Dashboard (+) and enter payload "<script>alert('XSS PoC')</script>" in name field


@murrant murrant referenced this issue Sep 8, 2018


Sanitize data in dashboard add/edit/delete #9171

1 of 1 task complete

@murrant murrant closed this in #9171 Sep 8, 2018


This comment has been minimized.


laf commented Sep 8, 2018

@JavierOlmedo Thanks for the report.

Please note for future reference that we ask people to contact us via email for security related issues: and that GitHub isn't used for reporting any form of bugs or security issues.

@lock lock bot locked as resolved and limited conversation to collaborators Nov 7, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.