You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
XSS is possible in CyberChef via jsonpath-plus jpath evaluations. After working with Google to fix a case where they had similar exposure, they were able to motivate the maintainer to return to the library after announcing he was leaving in February and release a patch to prevent this.
To Reproduce
Steps to reproduce the behavior or a link to the recipe / input used to cause the bug:
Describe the bug
XSS is possible in CyberChef via jsonpath-plus jpath evaluations. After working with Google to fix a case where they had similar exposure, they were able to motivate the maintainer to return to the library after announcing he was leaving in February and release a patch to prevent this.
To Reproduce
Steps to reproduce the behavior or a link to the recipe / input used to cause the bug:
Expected behaviour
Untrusted user JSON paths should not lead to arbitrary JS evaluation. Bump up to the jsonpath-plus version to the patched version.
Screenshots
Desktop (if relevant, please complete the following information):
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: