Open yuansec opened 12 months ago
A new XSS in YASGUI . poc: https://myendpoint.com/queryhttp://test.com'onclick=alert(123);'
YASGUI does not properly sanitize the input and renders the untrusted data as HTML code, which results in the execution of the JavaScript code contained in the onerror attribute.
Steps to Reproduce:
Navigate to the "endpoint" input field of the web application. Enter the following input string: https://myendpoint.com/queryhttp://test.com'onclick=alert(123);'
Submit the input.
A new XSS in YASGUI . poc: https://myendpoint.com/queryhttp://test.com'onclick=alert(123);'
YASGUI does not properly sanitize the input and renders the untrusted data as HTML code, which results in the execution of the JavaScript code contained in the onerror attribute.
Steps to Reproduce:
Navigate to the "endpoint" input field of the web application. Enter the following input string: https://myendpoint.com/queryhttp://test.com'onclick=alert(123);'
Submit the input.