Skip to content

Reflected XSS - /admin/tag/list #205

New issue
New issue
Closed
Closed
Reflected XSS - /admin/tag/list#205
@NinjaGPT

Description

@NinjaGPT
NinjaGPT
opened on Jul 23, 2025

Summary

In the latest v6.0.0 version, the endpoint/admin/tag/list does not encode user-controllable parameters when outputting them on the current page, resulting in Reflected XSS. This allows attackers to launch XSS attacks against administrator users.

POC

http://localhost:8888/admin/tag/list?name=%22%3E%3Csvg%2Fonload%3Dconfirm%289%29%3E
Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions