Reflected Cross-site Scripting Vulnerability
JStefanikIBM opened this issue ยท 3 comments
The app appears to suffer from an XSS vulnerability.
Writing the following payload to the chat will result in an alertbox displaying the domain that is hosting the Node.js app.
<img
src=x onerror=alert(document.domain)><!--`
The Javascript code of the page is doing a request to /api/message and it uses the input:text to write the content into the chatbox message after the request is done. This behaviour could allow an attacker to inject custom Javascript code that can be used to steal information from users or lure them to malicious websites.
@stevenpkg Can you look into this?
@JStefanikIBM demo apps are meant to be simple applications using Watson services, and not necessarily commercial strength apps, @mitchmason @germanattanasio what do you all think?
๐ This issue has been resolved in version 1.4.1 ๐
The release is available on:
Your semantic-release bot ๐ฆ๐