| tiêu đề | Mist.io Mist Community Edition (CE) 4.7.1 Cross Site Scripting |
|---|
| Mô tả | Vulnerability
Stored Cross-Site Scripting (XSS) in Multiple Resource Tag Fields
Summary
Mist Community Edition (CE) before v4.7.2 fails to sanitize user-controlled input in tag value fields across multiple resource types. An authenticated attacker can inject persistent JavaScript payloads via crafted tags, which will be executed automatically when the victim visits the vulnerable endpoint.
For full technical details, including proof of concept steps and video please refer to my GitHub repository in the "Advisory / Exploit" field below.
Affected Versions
Vulnerable: ≤ 4.7.1
Fixed: 4.7.2
Suggested Severity
6.3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Vendor Coordination:
The vulnerability was responsibly disclosed to the Mist Community Edition maintainer. They acknowledged the report and explicitly agreed to a potential CVE assignment. A fix was implemented and released in version 4.7.2.
Mist CE Release 4.7.2 (Patched): https://github.com/mistio/mist-ce/releases/tag/v4.7.2
Fix Commit: https://github.com/mistio/mist.api/commit/db10ecb62ac832c1ed4924556d167efb9bc07fad
Discovered by
Alex Perrakis (Stolichnayer)
Efstratios Chatzoglou (efchatz)
Georgios Kambourakis |
|---|
| Nguồn | ⚠️ https://github.com/Stolichnayer/mist-ce-xss |
|---|
| Người dùng | alexperrakis (UID 85369) |
|---|
| Đệ trình | 23/05/2025 12:44 (cách đây 1 Năm) |
|---|
| Kiểm duyệt | 31/05/2025 18:51 (8 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 310751 [Mist Community Edition đến 4.7.1 views.py tag_resources ngày Tập lệnh chéo trang] |
|---|
| điểm | 20 |
|---|