| Titel | 1Panel-dev MaxKB <= v2.2.1 Stored XSS |
|---|
| Beschreibung | Maxkb is vulnerable to Stored Cross-Site Scripting (XSS) due to a lack of HTML escaping when processing application names and icons. An authenticated user can create an application with a malicious payload in the application name. When any user visits the public chat interface (/ui/chat/{access_token}), StaticHeadersMiddleware performs unescaped string replacement to inject the application data directly into the HTML response. This allows the attacker to break out of the <title> tag and execute arbitrary JavaScript in the victim's browser context.
|
|---|
| Quelle | ⚠️ https://github.com/AnalogyC0de/public_exp/issues/23 |
|---|
| Benutzer | Ana10gy (UID 93358) |
|---|
| Einreichung | 17.03.2026 17:30 (vor 30 Tagen) |
|---|
| Moderieren | 11.04.2026 09:35 (25 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 356965 [1Panel-dev MaxKB bis 2.2.1 Public Chat Interface static_headers_middleware.py StaticHeadersMiddleware Name Cross Site Scripting] |
|---|
| Punkte | 20 |
|---|