Skip to content

StoredXSS in API Key name

Moderate
marcelfolaron published GHSA-c39w-3pjx-qc7m Feb 18, 2025

Package

No package listed

Affected versions

3.1.4

Patched versions

3.3

Description

Description

Discovered Stored XSS in API key name while generating the API key.

Impact

Any low privileged user like manager, or editor, can create api key with XSS payload, when admin will visit the Company page, the XSS will automatically get triggerred leading to perform unauthorized action from the ADMIN account. like, removing any user, or adding someone else as high privilege, and many more.

Severity

Moderate

CVE ID

No known CVE

Weaknesses

Credits