Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross Site Scripting Vulnerability in Latest Release #28

Open
HatBoy opened this issue Mar 14, 2019 · 2 comments
Open

Cross Site Scripting Vulnerability in Latest Release #28

HatBoy opened this issue Mar 14, 2019 · 2 comments

Comments

@HatBoy
Copy link

HatBoy commented Mar 14, 2019

Hi, I would like to report Cross Site Scripting vulnerability in latest release.

Description:
Cross-site scripting (XSS) vulnerability in app/api/cms/user.py 12 line register() function and app/api/cms/log.py 23 line get_logs() function.
User name usage XSS payload will be executed in the log when registering users
Steps To Reproduce:
1.Add a user, the username is xss payload.
2
2.Then use the username login, see the log manager find the xss payload already executed, the super user also can find.
3

author by jin.dong@dbappsecurity.com.cn
@7insummer
Copy link

Thanks for these suggestions, as we have just started, including SQL injection and CSRF prevention has been put on the agenda but has not yet been achieved. We will improve these security issues in the near future. Thanks again.

@OS-WS
Copy link

OS-WS commented Aug 17, 2021

Hi @7insummer @HatBoy ,
Was this issue fixed?
if so, in what commit and what tag/version?
thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@HatBoy @7insummer @OS-WS