| Titel | GitHub Web Application Express Gateway 1.16.10 and possibly earlier Cross Site Scripting |
|---|
| Beschreibung | A stored Cross-Site Scripting (XSS) vulnerability exists in Express Gateway (all versions prior to the patched release) within the REST API endpoints for user and application creation and update (/users and /apps).
User input from req.body is directly passed to service layer functions without validation or sanitization. An attacker can inject malicious JavaScript code into fields such as firstname or name. The injected script is stored and subsequently executed when affected data is rendered in the web interface, potentially leading to session hijacking, unauthorized actions, data theft, or full account compromise. |
|---|
| Quelle | ⚠️ https://github.com/freshfish-hust/my-cves/issues/5 |
|---|
| Benutzer | Haoatao (UID 88608) |
|---|
| Einreichung | 03.08.2025 05:34 (vor 9 Monaten) |
|---|
| Moderieren | 17.08.2025 14:54 (14 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 320417 [ExpressGateway express-gateway bis 1.16.10 REST Endpoint lib/rest/routes/users.js Cross Site Scripting] |
|---|
| Punkte | 20 |
|---|