| शीर्षक | GitHub Web Application Express Gateway 1.16.10 and possibly earlier Cross Site Scripting |
|---|
| विवरण | A stored Cross-Site Scripting (XSS) vulnerability exists in Express Gateway (all versions prior to the patched release) within the REST API endpoints for user and application creation and update (/users and /apps).
User input from req.body is directly passed to service layer functions without validation or sanitization. An attacker can inject malicious JavaScript code into fields such as firstname or name. The injected script is stored and subsequently executed when affected data is rendered in the web interface, potentially leading to session hijacking, unauthorized actions, data theft, or full account compromise. |
|---|
| स्रोत | ⚠️ https://github.com/freshfish-hust/my-cves/issues/5 |
|---|
| उपयोगकर्ता | Haoatao (UID 88608) |
|---|
| सबमिशन | 03/08/2025 05:34 AM (9 महीनों पहले) |
|---|
| संयम | 17/08/2025 02:54 PM (14 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 320417 [ExpressGateway express-gateway तक 1.16.10 REST Endpoint lib/rest/routes/users.js क्रॉस साइट स्क्रिप्टिंग] |
|---|
| अंक | 20 |
|---|