Skip to content
This repository has been archived by the owner on Oct 1, 2020. It is now read-only.

Cross Site Scripting Vulnerability in Latest Release #675

Open
HatBoy opened this issue Mar 21, 2019 · 1 comment
Open

Cross Site Scripting Vulnerability in Latest Release #675

HatBoy opened this issue Mar 21, 2019 · 1 comment

Comments

@HatBoy
Copy link

HatBoy commented Mar 21, 2019

Hi, I would like to report Cross Site Scripting vulnerability in latest release.
Description:
Cross-site scripting (XSS) vulnerability inquokka/admin/actions.py 90, 151 line, Because there is no filter username.
The vulnerability code is:
flash(Markup( f'Profile block for {user["username"]} ' f'Created at: ' f'<a href="{newlink}">{new.inserted_id}</a>' ))

Steps To Reproduce:
1.Create a user, username is xss payload, like: <script>alert(3)</script>
2.Select the username and Create user profile block, then trigger the payload.
1
2

author by jin.dong@dbappsecurity.com.cn

@marcosptf
Copy link
Collaborator

this issue fixed on pr #678

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants