Cross-site Scripting (XSS) - Stored in bytebase/bytebase

Valid

Reported on

Feb 4th 2022


Description

Hello there, there is a stored XSS in bytebase SQL editor.

Proof of Concept

  1. Install bytebase on your system.
  2. Go to /sql-editor and create a new query with name <img src=a onerror=alert(1)>
  3. Go back to the /sql-editor and go to Queries tab and see that a pop up appears, indicating the XSS payload is triggered.

Impact

This vulnerability is capable of stored XSS.

We are processing your report and will contact the bytebase team within 24 hours. 4 months ago
We have contacted a member of the bytebase team and are waiting to hear back 4 months ago
bytebase/bytebase maintainer validated this vulnerability 4 months ago
justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the bytebase team. We will try again in 7 days. 4 months ago
We have sent a second fix follow up to the bytebase team. We will try again in 10 days. 3 months ago
bytebase/bytebase maintainer confirmed that a fix has been merged on 9ee929 3 months ago
The fix bounty has been dropped
to join this conversation