| 제목 | GitHub Web Application Express Gateway 1.16.10 and possibly earlier Cross Site Scripting |
|---|
| 설명 | A stored Cross-Site Scripting (XSS) vulnerability exists in Express Gateway (all versions prior to the patched release) within the REST API endpoints for user and application creation and update (/users and /apps).
User input from req.body is directly passed to service layer functions without validation or sanitization. An attacker can inject malicious JavaScript code into fields such as firstname or name. The injected script is stored and subsequently executed when affected data is rendered in the web interface, potentially leading to session hijacking, unauthorized actions, data theft, or full account compromise. |
|---|
| 원천 | ⚠️ https://github.com/freshfish-hust/my-cves/issues/5 |
|---|
| 사용자 | Haoatao (UID 88608) |
|---|
| 제출 | 2025. 08. 03. AM 05:34 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 08. 17. PM 02:54 (14 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 320417 [ExpressGateway express-gateway 까지 1.16.10 REST Endpoint lib/rest/routes/users.js 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|