PatchServer icon indicating copy to clipboard operation
PatchServer copied to clipboard
verified publisher icon brysontyrrell

XSS via JS Injection in "name"

Open ecrist opened this issue 5 years ago • 0 comments

There is a verified XSS vulnerability in the "name" variable for uploaded patch files. There is no input sanitization on the data contained in "name" which allows for injection of javascript code that could be utilized by an attacker.

Further exacerbating this issue is lack of authentication controls in the patch server software.

ecrist avatar Jan 30 '20 14:01 ecrist