Cross-site Scripting (XSS) - Generic in frappe/charts


Reported on

Nov 3rd 2020


frappe-charts is vulnerable to Cross-Site Scripting (XSS).

Steps To Reproduce

  1. Open NPM repo
  2. Open the Explore demos
  3. At the bottom find the sandbox Ref:
  4. Use the payload "><img/&#09;&#10;&#11; src=~onerror=alert('XSS')> and place it in name: "Some Data'><img/ � src=~ onerror=alert(document.domain)>",
  5. XSS payload will get executed.
to join this conversation