search

SecurityRiskAdvisors / VECTR

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
1.35k stars 159 forks source link

XSS in Campaign test cases #222

Closed adm1nPanda closed 1 year ago

adm1nPanda commented 1 year ago

Describe the bug Found an XSS Vulnerability in the "Edit Test Cases" window.

To Reproduce Steps to reproduce the behavior:

  1. Select a Campaign
  2. Click on any test case or create a new test case
  3. Enter '' into the description field.
  4. invoke XSS by clicking on the View/Edit button when hovering over the same input field

Expected behavior Input should be parsed and XSS shouldn't execute

Screenshots Screenshot 2023-03-06 121334

Desktop (please complete the following information):

Additional context

XSS only executes when user browses into edit window and manually clicks on the view/edit button

thebleucheese commented 1 year ago

@adm1nPanda thanks for the report, we were able to reproduce and will look into a fix for this ASAP

carlvonderheid commented 1 year ago

Fixed in 8.7.2