Cross-site Scripting (XSS) - Reflected in cockpit-hq/cockpit
Aug 15th 2023
Payload: "><script>alert(window.location)</script> GET /system/api/restApiViewer: Passing XSS payload to any param leads to XSS vulnerability. GET /system/api/graphqlViewer: Passing XSS payload to param `apiKey` leads to XSS vulnerability.
Proof of Concept
Through the hole. attacker can execute malicious code