Cross-site Scripting (XSS) - Reflected in ptrofimov/beanstalk_console

Valid

Reported on

Jan 31st 2022

Description

Beanstalk Console is vulnerable to reflected Cross-Site Scripting via the server parameter.

Steps to reproduce

  1. Setup the Beanstalk console locally.

  2. Go to https://localhost/public/? and add a random server.

  3. Visit https://localhost/public/?server=%3Cimg%20src=x%20onerror=alert(document.domain)%3E

  4. You can see that an alert pops up with the domain name confirming the reflected XSS

We are processing your report and will contact the ptrofimov/beanstalk_console team within 24 hours. 4 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 4 months ago
We have contacted a member of the ptrofimov/beanstalk_console team and are waiting to hear back 4 months ago
ptrofimov
4 months ago

Maintainer

I am a collaborator on the repo, and I am checking now the details.

nav-prak submitted a
patch
4 months ago
nav-prak
4 months ago

Researcher

Do let me know if more information is required to verify the issue

We have sent a follow up to the ptrofimov/beanstalk_console team. We will try again in 7 days. 4 months ago
ptrofimov validated this vulnerability 4 months ago
nav-prak has been awarded the disclosure bounty
The fix bounty is now up for grabs
ptrofimov confirmed that a fix has been merged on e351c8 4 months ago
nav-prak has been awarded the fix bounty
include.php#L22 has been validated
to join this conversation