You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are a cybersecurity research group from Ca’ Foscari University of Venice. We recently conducted a security analysis of web applications on GitHub as part of our research. We have discovered a security vulnerability in your code that we believe requires your attention.
Vulnerability Description:
After our analysis, we have identified that your application is vulnerable to a stored XSS. Stored XSS is a security vulnerability where malicious scripts are injected into an application's storage (e.g., database) and persist. These scripts execute in users' browsers when they access the affected content, stealing data or performing malicious actions. The following endpoint presents the vulnerability, if you are interested in the full "steps to reproduce" and payload please reply to this issue.
"/questions"
Recommendation for Mitigation:
To address this vulnerability and enhance the security posture of your web application, we recommend you validate and sanitize user inputs to ensure they don't contain malicious scripts. Use proper encoding (e.g., HTML, JavaScript, URL encoding) when displaying dynamic content. Implement Content Security Policy (CSP) to restrict script execution to trusted sources.
We hope this notification helps improve your security.
In addition to addressing this issue, we are interested in understanding how this vulnerability was introduced in the code or why it has remained unchanged. This information can provide valuable insights into common security pitfalls and help us all improve security practices in the future. Could you share any background on this aspect? We would greatly appreciate your input on this matter. Thank you!
Should you have further questions or comments on this, feel free to answer this thread.
Kind regards
The text was updated successfully, but these errors were encountered:
Hello EvoPIE developers,
We are a cybersecurity research group from Ca’ Foscari University of Venice. We recently conducted a security analysis of web applications on GitHub as part of our research. We have discovered a security vulnerability in your code that we believe requires your attention.
Vulnerability Description:
After our analysis, we have identified that your application is vulnerable to a stored XSS. Stored XSS is a security vulnerability where malicious scripts are injected into an application's storage (e.g., database) and persist. These scripts execute in users' browsers when they access the affected content, stealing data or performing malicious actions. The following endpoint presents the vulnerability, if you are interested in the full "steps to reproduce" and payload please reply to this issue.
"/questions"
Recommendation for Mitigation:
To address this vulnerability and enhance the security posture of your web application, we recommend you validate and sanitize user inputs to ensure they don't contain malicious scripts. Use proper encoding (e.g., HTML, JavaScript, URL encoding) when displaying dynamic content. Implement Content Security Policy (CSP) to restrict script execution to trusted sources.
We hope this notification helps improve your security.
In addition to addressing this issue, we are interested in understanding how this vulnerability was introduced in the code or why it has remained unchanged. This information can provide valuable insights into common security pitfalls and help us all improve security practices in the future. Could you share any background on this aspect? We would greatly appreciate your input on this matter. Thank you!
Should you have further questions or comments on this, feel free to answer this thread.
Kind regards
The text was updated successfully, but these errors were encountered: