search

cross-solution / YAWIK

YAWIK is a web application. It can be used as an ATS applicant tracking system or as a jobboard.
https://yawik.org
MIT License
124 stars 67 forks source link

External URL to track applications is not properly sanitized and leads to arbitrary code injection #514

Closed mbo-s closed 5 years ago

mbo-s commented 5 years ago

It is possible to inject HTML/Javascript-Code like IFrames into a job offer.

Steps to reproduce:

  1. Create a new job https://yawik.org/demo/en/jobs/edit
  2. Under "Create job opening" in the menu "Track applications" change Mode to "use external link" and fill in e.g. javascript:alert('xss');"><script>alert('xss');</script><iframe src="https://www.yawik.org"><rel="
  3. save

You will get to Javascript Messages "XSS" one from the preview and one from the "Track applications"-Menu.
The Iframe will be injected, too. track-applications

cbleek commented 5 years ago

yes, this field should be filtered

let's ask @sergey-galenko , if he can fix this.

sergey-galenko commented 5 years ago

I'll take a look on it