XSS in Markdown Events in alfio-event/alf.io
Dec 7th 2022
XSS Vulnerability in the Events and Markdown features
Proof of Concept
Login to the dashboard
Insert or Edit Events in the Description and Link
Payload like that
hi @reza.duty , I mark this issue as Valid. It should be noted it must be done by the admin/event creator itself and it should preview the data and click the link, which is quite a contrived scenario, but anyway, good catch! We appreciate it.
We already did a fix by filtering out any non http / https protocols, which should handle this specific case.