Cross-site Scripting (XSS) - Stored in patrowl/patrowlmanager

Valid

Reported on

Nov 8th 2021


Description

PatrOwl is vulnerable to stored XSS.

Proof of Concept

image

Impact

This vulnerability permit to an authenticate user to execute JavaScript on other users Web Browser.

References

We are processing your report and will contact the patrowl/patrowlmanager team within 24 hours. 10 months ago
Guillaume GRABÉ modified the report
10 months ago
Guillaume GRABÉ modified the report
10 months ago
Guillaume GRABÉ modified the report
10 months ago
Guillaume GRABÉ modified the report
10 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 10 months ago
We have contacted a member of the patrowl/patrowlmanager team and are waiting to hear back 10 months ago
patrowl/patrowlmanager maintainer validated this vulnerability 10 months ago
Guillaume GRABÉ has been awarded the disclosure bounty
The fix bounty is now up for grabs
patrowl/patrowlmanager maintainer confirmed that a fix has been merged on 0eac0e 10 months ago
The fix bounty has been dropped
patrowl/patrowlmanager maintainer
10 months ago

Maintainer


Thank you for the report ! Please continue to report :) -- Nicolas aka MaKyOtOx

Guillaume GRABÉ
10 months ago

Researcher


Thanks for the quick answer ;) I'll check the app again soon!

to join this conversation