Describe the bug
It's possible to execute JS on application context by modifying the API query values when saving a template.
To Reproduce
Access to a new dashboard in graphite-web instance (i.e. http://localhost/dashboard). You don't really need data in it.
Use the "Save As Template " feature (In the context menu Dashboard > Save As Template ). Give it a name.
<img src=1 onerror=alert(1)>
String to replace
<img src=1 onerror=alert(1)>
Use the "Template finder" feature (In the context menu Dashboard > Template finder ). You can see XSS
Expected behavior
This can be solved by removing or ignoring requests containing the characters "<" ">" and/or other escaping/scripting characters. -> Sanitize the value before using it.
Screenshots
Environment (please complete the following information):
deniszh
commented
1 year ago
Describe the bug It's possible to execute JS on application context by modifying the API query values when saving a template.
To Reproduce Access to a new dashboard in graphite-web instance (i.e. http://localhost/dashboard). You don't really need data in it. Use the "Save As Template " feature (In the context menu Dashboard > Save As Template ). Give it a name.
<img src=1 onerror=alert(1)>String to replace<img src=1 onerror=alert(1)>Use the "Template finder" feature (In the context menu Dashboard > Template finder ). You can see XSS Expected behavior This can be solved by removing or ignoring requests containing the characters "<" ">" and/or other escaping/scripting characters. -> Sanitize the value before using it.Screenshots
Environment (please complete the following information):