Within the Edit User Instructions field where you can enter source code you are able to generate scripting that then executes in the user's browser when they click on the instructions page.
POC:
<body onload=alert(1)></body>
Additionally, <a href=# onmouseover=alert(1)>Text</a>
will also execute scripting in the browser.
@galaktipus
HTML is allowed in the User Instructions field so <script> is implicitly permitted.
This isn't a bug/issue, this is a feature request to limit the User Instructions field to a safe(r) subset of HTML (if such a thing actually exists!)
The ticket doesn't state why this potential XSS is an issue. An adversary would require admin rights to edit the User Instructions field and can therefore already perform all actions in the application.
Version: 1.4
Within the Edit User Instructions field where you can enter source code you are able to generate scripting that then executes in the user's browser when they click on the instructions page.
POC:
<body onload=alert(1)></body>Additionally,
<a href=# onmouseover=alert(1)>Text</a>will also execute scripting in the browser.
POC video is available here: https://youtu.be/SpFmM03Jl40
The text was updated successfully, but these errors were encountered: