Yasgui icon indicating copy to clipboard operation
Yasgui copied to clipboard
verified publisher icon TriplyDB

Cross-Site Scripting (XSS) vulnerability in "endpoint" input field

Open yuansec opened this issue 2 years ago • 0 comments

A new XSS in YASGUI . poc: https://myendpoint.com/queryhttp://test.com'onclick=alert(123);'

YASGUI does not properly sanitize the input and renders the untrusted data as HTML code, which results in the execution of the JavaScript code contained in the onerror attribute.

Steps to Reproduce:

Navigate to the "endpoint" input field of the web application. Enter the following input string: https://myendpoint.com/queryhttp://test.com'onclick=alert(123);'

Submit the input.

yuansec avatar Jul 12 '23 02:07 yuansec