Reflected / Stored XSS - CVE-2022-47968 #1086
Comments
|
Nice one, thanks. |
|
Update, this is actually a stored XSS, the JavaScript code can be saved and executed when a user visit the page "Application list".
|
|
I try to prepare a fix. Note that there is actually a feature to store javascript that gets executed on the page 🤷 |
|
That's true, in that case should we consider this as an extended feature? |
|
Probably as a bug, not sure if it qualifies for a CVE... |
|
Well... a bug could be considered as a flaw or vulnerability in the software or hardware design that can be potentially exploited by the attackers. These security bugs can be used to exploit various vulnerabilities by compromising – user authentication, authorization of access rights and privileges, data confidentiality, and data integrity. |
|
@iodn a fix was released now in v2.5.5, please double check if you have time. If you find anything else feel free to report. |
|
I've checked the new version this morning and it seems to be fixed! |
Hello Team,
Found a reflected XSS in the "Add application" page. It is possible to inject JavaScript code in the "Application name" input.
Not a big deal I guess but still wanted to warn about it.
Edit: Found in version 2.5.4
The text was updated successfully, but these errors were encountered: