This repository has been archived by the owner on Oct 1, 2020. It is now read-only.
Cross Site Scripting Vulnerability in Latest Release #675
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi, I would like to report Cross Site Scripting vulnerability in latest release.
Description:
Cross-site scripting (XSS) vulnerability inquokka/admin/actions.py 90, 151 line, Because there is no filter username.
The vulnerability code is:
flash(Markup( f'Profile block for {user["username"]} ' f'Created at: ' f'<a href="{newlink}">{new.inserted_id}</a>' ))Steps To Reproduce:
1.Create a user, username is xss payload, like: <script>alert(3)</script>
2.Select the username and Create user profile block, then trigger the payload.
author by jin.dong@dbappsecurity.com.cn
The text was updated successfully, but these errors were encountered: