Cross-site Scripting (XSS) - Stored in saleor/saleor-dashboard

Valid

Reported on

Jan 15th 2022


Description

Because the dangerouslySetInnerHTML method is used to output the input value of the DOM, XSS vulnerabilities occur in many logics.

Proof of Concept

"><img src=x onerror=alert(document.domain)>

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts

We are processing your report and will contact the saleor/saleor-dashboard team within 24 hours. 4 months ago
We have contacted a member of the saleor/saleor-dashboard team and are waiting to hear back 4 months ago
We have sent a follow up to the saleor/saleor-dashboard team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the saleor/saleor-dashboard team. We will try again in 10 days. 4 months ago
saleor/saleor-dashboard maintainer validated this vulnerability 4 months ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
saleor/saleor-dashboard maintainer confirmed that a fix has been merged on 8a9f41 4 months ago
The fix bounty has been dropped
TimelineNote.tsx#L97 has been validated
to join this conversation