Cross Site Scripting (XSS) in Layers of Image in viliusle/minipaint

Valid

Reported on

Mar 17th 2023


Description

Cross site scripting vulnerability in viliusle / minipaint in Layers name of "Edit Image"

Proof of Concept

  1. Go to the URL: https://viliusle.github.io/miniPaint/
  2. Go to the layers option and add new layer
  3. Rename Layer with payload.
  4. Popup will be there.

For more understanding please check POC. POC : https://drive.google.com/file/d/1etng0zEHk6xHTnr_T6VkmM2l8AfBjdFs/view?usp=share_link

var payload = "><img src=x onerror=alert(document.domain);>

Impact

An attacker can use XSS to send a malicious script to an unsuspecting user.

We are processing your report and will contact the viliusle/minipaint team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
We have contacted a member of the viliusle/minipaint team and are waiting to hear back 10 months ago
We have sent a follow up to the viliusle/minipaint team. We will try again in 4 days. 10 months ago
viliusle/minipaint maintainer validated this vulnerability 10 months ago
onkar0219 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
viliusle/minipaint maintainer
9 months ago

Are there any updates regarding this matter? May I inquire if there is a CVE assigned to this issue?

viliusle/minipaint maintainer
8 months ago

Are there any updates regarding this matter?

viliusle/minipaint maintainer
4 months ago

Any updates?????

viliusle/minipaint maintainer marked this as fixed in 4.14.0 with commit f22cb4 3 months ago
A ghost has been awarded the fix bounty
This vulnerability has now been published 3 months ago
viliusle/minipaint maintainer
3 months ago

Another update (v4.14.1) was pushed, v4.14.0 was not enough.

to join this conversation