Cross-site Scripting (XSS) - Stored in bytebase/bytebase
Feb 4th 2022
Hello there, there is a stored XSS in bytebase SQL editor.
Proof of Concept
- Install bytebase on your system.
- Go to
/sql-editorand create a new query with name
<img src=a onerror=alert(1)>
- Go back to the
/sql-editorand go to Queries tab and see that a pop up appears, indicating the XSS payload is triggered.
This vulnerability is capable of stored XSS.
A bytebase/bytebase maintainer validated this vulnerability a year ago
justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
A bytebase/bytebase maintainer marked this as fixed in 0.13.0 with commit 9ee929 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation