Cross Site Scripting Vulnerability in Latest Release

[HatBoy]

Hi, I would like to report Cross Site Scripting vulnerability in latest release.

Description:
Cross-site scripting (XSS) vulnerability in app/api/cms/user.py 12 line register() function and app/api/cms/log.py 23 line get_logs() function.
User name usage XSS payload will be executed in the log when registering users
Steps To Reproduce:
1.Add a user, the username is xss payload.

2.Then use the username login, see the log manager find the xss payload already executed, the super user also can find.

author by jin.dong@dbappsecurity.com.cn

[7insummer]

Thanks for these suggestions, as we have just started, including SQL injection and CSRF prevention has been put on the agenda but has not yet been achieved. We will improve these security issues in the near future. Thanks again.

[OS-WS]

Hi @7insummer @HatBoy ,
Was this issue fixed?
if so, in what commit and what tag/version?
thanks!