Skip to content
This repository was archived by the owner on Mar 23, 2025. It is now read-only.

XSS Vulnerabilities on User Edit Page

High
hkalexling published GHSA-pg73-2855-jh9f Apr 4, 2022

Package

No package listed

Affected versions

<= 0.26.0

Patched versions

0.26.1

Description

Impact

An attacker will be able to construct a URL on the user edit page (<your instance>/admin/user/edit) with query parameters containing JS scripts. The attacker can then trick the victim into opening the URL and thus potentially compromising the session ID.

Patches

The issue has been fixed in v0.26.1

Workarounds

  • Upgrade to v0.26.1 ASAP
  • As a standard security practice, do not open malicious links

References

PoC in #289, thanks to @bararchy

Severity

High

CVE ID

No known CVE

Weaknesses

Credits