| عنوان | GitHub Web Application Express Gateway 1.16.10 and possibly earlier Cross Site Scripting |
|---|
| الوصف | A stored Cross-Site Scripting (XSS) vulnerability exists in Express Gateway (all versions prior to the patched release) within the REST API endpoints for user and application creation and update (/users and /apps).
User input from req.body is directly passed to service layer functions without validation or sanitization. An attacker can inject malicious JavaScript code into fields such as firstname or name. The injected script is stored and subsequently executed when affected data is rendered in the web interface, potentially leading to session hijacking, unauthorized actions, data theft, or full account compromise. |
|---|
| المصدر | ⚠️ https://github.com/freshfish-hust/my-cves/issues/5 |
|---|
| المستخدم | Haoatao (UID 88608) |
|---|
| ارسال | 03/08/2025 05:34 AM (9 أشهر منذ) |
|---|
| الاعتدال | 17/08/2025 02:54 PM (14 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 320417 [ExpressGateway express-gateway حتى 1.16.10 REST Endpoint lib/rest/routes/users.js البرمجة عبر المواقع] |
|---|
| النقاط | 20 |
|---|