Cross-site Scripting (XSS) - Stored in bytebase/bytebase


Reported on

Feb 4th 2022


Hello there, there is a stored XSS in bytebase SQL editor.

Proof of Concept

  1. Install bytebase on your system.
  2. Go to /sql-editor and create a new query with name <img src=a onerror=alert(1)>
  3. Go back to the /sql-editor and go to Queries tab and see that a pop up appears, indicating the XSS payload is triggered.


This vulnerability is capable of stored XSS.

We are processing your report and will contact the bytebase team within 24 hours. a year ago
We have contacted a member of the bytebase team and are waiting to hear back a year ago
bytebase/bytebase maintainer validated this vulnerability a year ago
justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the bytebase team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the bytebase team. We will try again in 10 days. a year ago
bytebase/bytebase maintainer marked this as fixed in 0.13.0 with commit 9ee929 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation