Cross-Site Scripting (XSS) vulnerability in "endpoint" input field
yuansec opened this issue · 0 comments
yuansec commented
A new XSS in YASGUI .
poc: https://myendpoint.com/queryhttp://test.com'onclick=alert(123);'
YASGUI does not properly sanitize the input and renders the untrusted data as HTML code, which results in the execution of the JavaScript code contained in the onerror attribute.
Steps to Reproduce:
Navigate to the "endpoint" input field of the web application.
Enter the following input string:
https://myendpoint.com/queryhttp://test.com'onclick=alert(123);'
Submit the input.