search

personium / app-uc-unit-manager

Unit Manager and Cell Manager are GUI tools that helps you manage Personium cell(s).
https://www.youtube.com/watch?v=d1_pET0M-YA&feature=youtu.be
Apache License 2.0
5 stars 6 forks source link

XSS issues in OData View #157

Open yoh1496 opened 5 years ago

yoh1496 commented 5 years ago

There are one or more XSS issues in Cell Manager. I found it in OData View.

Steps of reproducing this problem is below:

  1. Create OData in somewhere of your box.
  2. Open the OData.
  3. Create Entity Type and Add Property to the OData Scheme. (Type: String)
  4. Add an entity which contians below code: 
    <script type="text/javascript">alert(JSON.parse(sessionStorage.getItem('sessionData')).access_token)</script>

The attacker using this vulnerability can get the user token stored in sessionStorage.

yoh1496 commented 5 years ago

There were some changes in past.

Please try below code. 

<script type="text/javascript">alert(JSON.parse(sessionStorage.getItem('ManagerInfo')).token)</script>
dixonsiu commented 5 years ago

Thanks. We will continue fixing them with jQuery's text method.

shimono commented 2 years ago

Related to #89