Cross-site Scripting (XSS) - Stored in patrowl/patrowlmanager

Valid

Reported on

Nov 8th 2021

Description

PatrOwl is vulnerable to stored XSS.

Proof of Concept

Impact

This vulnerability permit to an authenticate user to execute JavaScript on other users Web Browser.

References

XSS Owasp

We are processing your report and will contact the patrowl/patrowlmanager team within 24 hours. 2 years ago

Guillaume GRABÉ modified the report

2 years ago

Guillaume GRABÉ modified the report

2 years ago

Guillaume GRABÉ modified the report

2 years ago

Guillaume GRABÉ modified the report

2 years ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

We have contacted a member of the patrowl/patrowlmanager team and are waiting to hear back 2 years ago

A patrowl/patrowlmanager maintainer validated this vulnerability 2 years ago

Guillaume GRABÉ has been awarded the disclosure bounty

The fix bounty is now up for grabs

A patrowl/patrowlmanager maintainer marked this as fixed with commit 0eac0e 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A patrowl/patrowlmanager maintainer

commented 2 years ago

Maintainer

Thank you for the report ! Please continue to report :) -- Nicolas aka MaKyOtOx

Guillaume GRABÉ

commented 2 years ago

Researcher

Thanks for the quick answer ;) I'll check the app again soon!

to join this conversation

We are processing your report and will contact the patrowl/patrowlmanager team within 24 hours. 2 years ago

Guillaume GRABÉ modified the report

2 years ago

Guillaume GRABÉ modified the report

2 years ago

Guillaume GRABÉ modified the report

2 years ago

Guillaume GRABÉ modified the report

2 years ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

We have contacted a member of the patrowl/patrowlmanager team and are waiting to hear back 2 years ago

A patrowl/patrowlmanager maintainer validated this vulnerability 2 years ago

Guillaume GRABÉ has been awarded the disclosure bounty

The fix bounty is now up for grabs

A patrowl/patrowlmanager maintainer marked this as fixed with commit 0eac0e 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A patrowl/patrowlmanager maintainer

commented 2 years ago

Maintainer

Thank you for the report ! Please continue to report :) -- Nicolas aka MaKyOtOx

Guillaume GRABÉ

commented 2 years ago

Researcher

Thanks for the quick answer ;) I'll check the app again soon!

to join this conversation