Cross-site Scripting (XSS) - Stored in bytebase/bytebase
Valid
Reported on
Feb 4th 2022
Description
Hello there, there is a stored XSS in bytebase SQL editor.
Proof of Concept
- Install bytebase on your system.
- Go to
/sql-editor
and create a new query with name<img src=a onerror=alert(1)>
- Go back to the
/sql-editor
and go to Queries tab and see that a pop up appears, indicating the XSS payload is triggered.
Impact
This vulnerability is capable of stored XSS.
We are processing your report and will contact the
bytebase
team within 24 hours.
4 months ago
We have contacted a member of the
bytebase
team and are waiting to hear back
4 months ago
We have sent a
fix follow up to the
bytebase
team.
We will try again in 7 days.
4 months ago
We have sent a
second
fix follow up to the
bytebase
team.
We will try again in 10 days.
3 months ago
The fix bounty has been dropped
to join this conversation