Cross-site Scripting (XSS) - Reflected in ptrofimov/beanstalk_console

Valid

Reported on

Jan 31st 2022

Description

Beanstalk Console is vulnerable to reflected Cross-Site Scripting via the server parameter.

Steps to reproduce

  1. Setup the Beanstalk console locally.

  2. Go to https://localhost/public/? and add a random server.

  3. Visit https://localhost/public/?server=%3Cimg%20src=x%20onerror=alert(document.domain)%3E

  4. You can see that an alert pops up with the domain name confirming the reflected XSS

We are processing your report and will contact the ptrofimov/beanstalk_console team within 24 hours. 2 years ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
We have contacted a member of the ptrofimov/beanstalk_console team and are waiting to hear back 2 years ago
ptrofimov
2 years ago

Maintainer

I am a collaborator on the repo, and I am checking now the details.

Naveen Prakaasham submitted a
patch
2 years ago
Naveen
2 years ago

Researcher

Do let me know if more information is required to verify the issue

We have sent a follow up to the ptrofimov/beanstalk_console team. We will try again in 7 days. 2 years ago
ptrofimov validated this vulnerability 2 years ago
Naveen Prakaasham has been awarded the disclosure bounty
The fix bounty is now up for grabs
ptrofimov marked this as fixed in 1.7.12 with commit e351c8 2 years ago
Naveen Prakaasham has been awarded the fix bounty
This vulnerability will not receive a CVE
include.php#L22 has been validated
to join this conversation