Reflected Cross-site Scripting Vulnerability #199
Assignees
Comments
|
@stevenpkg Can you look into this? |
|
@JStefanikIBM demo apps are meant to be simple applications using Watson services, and not necessarily commercial strength apps, @mitchmason @germanattanasio what do you all think? |
germanattanasio
added a commit
that referenced
this issue
Oct 7, 2018
germanattanasio
added a commit
that referenced
this issue
Oct 8, 2018
fix: Reflected Cross-site Scripting Vulnerability #199
|
🎉 This issue has been resolved in version 1.4.1 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The app appears to suffer from an XSS vulnerability.
Writing the following payload to the chat will result in an alertbox displaying the domain that is hosting the Node.js app.
<imgsrc=x onerror=alert(document.domain)><!--`The Javascript code of the page is doing a request to /api/message and it uses the input:text to write the content into the chatbox message after the request is done. This behaviour could allow an attacker to inject custom Javascript code that can be used to steal information from users or lure them to malicious websites.
The text was updated successfully, but these errors were encountered: