| 标题 | GitHub Web Application Express Gateway 1.16.10 and possibly earlier Cross Site Scripting |
|---|
| 描述 | A stored Cross-Site Scripting (XSS) vulnerability exists in Express Gateway (all versions prior to the patched release) within the REST API endpoints for user and application creation and update (/users and /apps).
User input from req.body is directly passed to service layer functions without validation or sanitization. An attacker can inject malicious JavaScript code into fields such as firstname or name. The injected script is stored and subsequently executed when affected data is rendered in the web interface, potentially leading to session hijacking, unauthorized actions, data theft, or full account compromise. |
|---|
| 来源 | ⚠️ https://github.com/freshfish-hust/my-cves/issues/5 |
|---|
| 用户 | Haoatao (UID 88608) |
|---|
| 提交 | 2025-08-03 05時34分 (9 月前) |
|---|
| 管理 | 2025-08-17 14時54分 (14 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 320417 [ExpressGateway express-gateway 直到 1.16.10 REST Endpoint lib/rest/routes/users.js 跨网站脚本] |
|---|
| 积分 | 20 |
|---|