Cross-site Scripting (XSS) - Stored in bytebase/bytebase
Valid
Reported on
Feb 4th 2022
Description
Hello there, there is a stored XSS in bytebase SQL editor.
Proof of Concept
- Install bytebase on your system.
- Go to
/sql-editor
and create a new query with name<img src=a onerror=alert(1)>
- Go back to the
/sql-editor
and go to Queries tab and see that a pop up appears, indicating the XSS payload is triggered.
Impact
This vulnerability is capable of stored XSS.
We are processing your report and will contact the
bytebase
team within 24 hours.
a year ago
We have contacted a member of the
bytebase
team and are waiting to hear back
a year ago
We have sent a
fix follow up to the
bytebase
team.
We will try again in 7 days.
a year ago
We have sent a
second
fix follow up to the
bytebase
team.
We will try again in 10 days.
a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation