OneNav beta 0.9.12 allows XSS via the Add Link feature. PWNED by using remote execution script, automated for this vulnerability. NOTE: the vendor’s position is that there intentionally is not any XSS protection at present, because the attack risk is largely limited to a compromised account; however, XSS protection is planned for a future release.
<https://streamable.com/ubtzio>
Recent assessments:
nu11secur1ty at August 06, 2021 5:37pm UTC reported:
OneNav beta 0.9.12 allows XSS via the Add Link feature. PWNED by using remote execution script, automated for this vulnerability. NOTE: the vendor’s position is that there intentionally is not any XSS protection at present, because the attack risk is largely limited to a compromised account; however, XSS protection is planned for a future release.
<https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-38138>
<https://streamable.com/ubtzio>
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 5