Cross-site Scripting (XSS) - Stored in saleor/saleor-dashboard

Valid

Reported on

Jan 15th 2022

Description

Because the dangerouslySetInnerHTML method is used to output the input value of the DOM, XSS vulnerabilities occur in many logics.

"><img src=x onerror=alert(document.domain)>

Through this vulnerability, an attacker is capable to execute malicious scripts

TimelineNote.tsx L97

We are processing your report and will contact the saleor/saleor-dashboard team within 24 hours. a year ago

We have contacted a member of the saleor/saleor-dashboard team and are waiting to hear back a year ago

We have sent a follow up to the saleor/saleor-dashboard team. We will try again in 7 days. a year ago

We have sent a second follow up to the saleor/saleor-dashboard team. We will try again in 10 days. a year ago

A saleor/saleor-dashboard maintainer validated this vulnerability a year ago

Pocas has been awarded the disclosure bounty

The fix bounty is now up for grabs

A saleor/saleor-dashboard maintainer marked this as fixed in 3.0.0-b.29 with commit 8a9f41 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation