[BUG] [XSS] Multiple reflected cross-site scripting vulnarabilites in Graphite composer mygraph parameters(action and graphName). #2794

0x566164696D · 2023-01-20T08:41:13Z

Product
Graphite

Product Version
Current master branch

Environment
docker graphiteapp/graphite-statsd. Builded from the current master branch.

Vulnerability
Reflected cross-site scripting (XSS)

Severity
Medium

Description
Cross-site scripting is a type of attack on web application clients, in which any code prepared by an attacker can be executed in the client’s browser. Vulnerability to this type of attack occurs due to incorrect filtering of user input data.

Impact
As a result of the attack, an attacker can steal a user session, make requests on behalf of the user, and get user credentials, etc.

Expected behavior
Sanitize all the parameters passed to the server by the user.

Steps to Reproduce

Login to the system
Go to

http://127.0.0.1/composer/mygraph?action="><script>alert(1)</script>&graphName=test
http://127.0.0.1/composer/mygraph?action=delete&graphName="><script>alert(1)</script>

The text was updated successfully, but these errors were encountered:

0x566164696D added the bug label Jan 20, 2023

deniszh added security Security issue xss labels Feb 19, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] [XSS] Multiple reflected cross-site scripting vulnarabilites in Graphite composer mygraph parameters(action and graphName). #2794

[BUG] [XSS] Multiple reflected cross-site scripting vulnarabilites in Graphite composer mygraph parameters(action and graphName). #2794

0x566164696D commented Jan 20, 2023

[BUG] [XSS] Multiple reflected cross-site scripting vulnarabilites in Graphite composer mygraph parameters(action and graphName). #2794

[BUG] [XSS] Multiple reflected cross-site scripting vulnarabilites in Graphite composer mygraph parameters(action and graphName). #2794

Comments

0x566164696D commented Jan 20, 2023