Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reflected xss in Notify.js #1886

Open
DennisKretz opened this issue Nov 9, 2022 · 0 comments
Open

Reflected xss in Notify.js #1886

DennisKretz opened this issue Nov 9, 2022 · 0 comments

Comments

@DennisKretz
Copy link

FYI we have notified you many months ago, by email that there is an vuln in your code, but you did not reply nor fixed the issue.
So thats why i'm posting the issue here.

If you think this is already fixed, then see this ticket, as an open disclosure.

Describe the bug
It is possible, to run js when triggering an notification, when the notification gets the body/value of the parameter.

 if (title) {
                t = $("<div>").addClass("notify-title").html(title);
                notify.prepend(t);
            }
            m = $("<div>").addClass("notify-message").html(message);
            m.appendTo(notify);

To Reproduce
if you have an parameter that triggers an notification for metro, then just put "<script>alert(69)</script>" into the parameter value.
and you should see an alert poping up.

In our case, the problem was when searching for an url with a parameter, and the url was not found it would display the parameters content like " not found"

How to fix
We fixed it, by just replacing the ".html" to ".text"
image

Additional context
Thanks for reading, if you have any questions, then feel free to ask.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DennisKretz