Cross-site Scripting (XSS) - Reflected in cortezaproject/corteza-server
Feb 11th 2022
The logout function doesn't clean/filter value of "back" parameter before reflecting into html code leading to Reflected XSS vulnerability.
Proof of Concept
Visit URL: https://latest.cortezaproject.org/auth/logout?back=%22%3E%3Cscript%3Ealert(origin)%3C/script%3E%3C%22
Reflected XSS. Attacker can steal user's data or phishing attack.