Hi,

On Mon, 15 Jun 2020, Sebastien Delafond wrote:
> See for instance the following URL:
> 
>   
> https://ci.debian.net/user/debci/jobs?package=abc";><script>alert(document.domain)</script>

The issue is present in multiple parameters and even in the URL itself:

XSS Param URL: 
https://ci.debian.net/user/debci%3Cvideo%3E%3Csource%20onerror=%22javascript:prompt(9401)%22%3E/jobs

XSS Param package: 
https://ci.debian.net/user/nobody/jobs?arch[]=amd64&package=bamtools%27%22()%26%25%3Cxx%3E%3CScRiPt%3Ealert(9904)%3C/ScRiPt%3E&suite[]=kali-dev

XSS Param trigger: 
https://ci.debian.net/user/debci/jobs?arch[]=amd64&package=20&suite[]=kali-dev&trigger=1%27%22()%26%25%3Cxxx%3E%3CScRiPt%3Eprompt(9829)%3C/ScRiPt%3E

Is there any chance that you could fix this in the near future?

The issues are not critical but ignoring them doesn't give a good image of
us. (And what if this could be exploited to trigger a test run with
some evil parameters...)

Regards,
-- 
  ⢀⣴⠾⠻⢶⣦⠀   Raphaël Hertzog <hert...@debian.org>
  ⣾⠁⢠⠒⠀⣿⡁
  ⢿⡄⠘⠷⠚⠋    The Debian Handbook: https://debian-handbook.info/get/
  ⠈⠳⣄⠀⠀⠀⠀   Debian Long Term Support: https://deb.li/LTS

Reply via email to