Cross-site Scripting (XSS) - Stored in patrowl/patrowlmanager

Valid

Reported on

Nov 8th 2021


Description

PatrOwl is vulnerable to stored XSS.

Proof of Concept

image

Impact

This vulnerability permit to an authenticate user to execute JavaScript on other users Web Browser.

References

We are processing your report and will contact the patrowl/patrowlmanager team within 24 hours. a month ago
Guillaume GRABÉ modified their report
a month ago
Guillaume GRABÉ modified their report
a month ago
Guillaume GRABÉ modified their report
a month ago
Guillaume GRABÉ modified their report
a month ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 25 days ago
We have contacted a member of the patrowl/patrowlmanager team and are waiting to hear back 25 days ago
patrowl/patrowlmanager maintainer validated this vulnerability 25 days ago
Guillaume GRABÉ has been awarded the disclosure bounty
The fix bounty is now up for grabs
patrowl/patrowlmanager maintainer confirmed that a fix has been merged on 0eac0e 25 days ago
The fix bounty has been dropped
patrowl/patrowlmanager maintainer
25 days ago

Maintainer


Thank you for the report ! Please continue to report :) -- Nicolas aka MaKyOtOx

Guillaume GRABÉ
25 days ago

Researcher


Thanks for the quick answer ;) I'll check the app again soon!