提出 #50338: Unauthenticated Stored XSS in apinto-dashboard <= v1.1.0-beta via callback, username情報

タイトル	Unauthenticated Stored XSS in apinto-dashboard <= v1.1.0-beta via callback, username
説明	# Get start repo: https://github.com/eolinker/apinto-dashboard 1,Download and unzip the installation package Apinto 2,Start gateway 3,Download and unzip the installation package Apinto Dashboard 4,Start Apinto Dashboard ```bash wget https://github.com/eolinker/apinto/releases/download/v0.8.0/apinto-v0.8.0.linux.x64.tar.gz && tar -zxvf apinto-v0.8.0.linux.x64.tar.gz && cd apinto ./apinto start cd .. wget https://github.com/eolinker/apinto-dashboard/releases/download/v1.1.0-beta/apinto-dashboard-v1.1.0-beta.linux.x64.tar.gz && tar -zxvf apinto-dashboard-v1.1.0-beta.linux.x64.tar.gz && cd apinto-dashboard ./apinto-dashboard ``` # Unauthenticated Stored XSS While user loging, the wrong user name and callback parameter will be recorded in the activity log, but the output parameters are not escaped correctly, external attacker can inject arbitrary js code. poc: open /login?callback=/<img src=1 onerror=alert(/2nd-xss/)> enter `<img src=1 onerror=alert(/1st-xss/)>` at the username ![](https://c2.im5i.com/2022/11/01/XrTL4.png) ![](https://c2.im5i.com/2022/11/01/XrXvW.png) then open /activity-log ![](https://c2.im5i.com/2022/11/01/Xrjjd.png) ![](https://c2.im5i.com/2022/11/01/XrHKR.png)
ユーザー	Tomy (UID 34751)
送信	2022年11月01日 11:54 (4 年 ago)
モデレーション	2022年11月01日 16:50 (5 hours later)
ステータス	承諾済み
VulDBエントリ	212640 [eolinker apinto-dashboard /login callback クロスサイトスクリプティング]
ポイント	17

◂ 前概要次 ▸

Want to know what is going to be exploited?

We predict KEV entries!