search

Kevinwochan / Slackr

An naive instant messaging web application built in ReactJS and Python Flask
1 stars 1 forks source link

XSS vulnerability #2

Open Kevinwochan opened 4 years ago

Kevinwochan commented 4 years ago

No sanitization is used on messages sent and received.

A registered user can send malicious messages to execute arbitrary JavaScript on all clients. This can be used to retrieve all active JWTs.