XSS vulnerability on gadget filter's alias

Description

Script (e.g. <script>alert('hi');</script>) can be placed in filter alias.

To replicate:

  1. Add gadget

  2. Set filter's alias to <script>alert('hi');</script>

  3. Select display type to Data Table or Chart and Data Table

  4. Click save

  5. You will receive an alert hi

 

This happens if data table is displayed.

 

Environment

None

Status

Assignee

Angela Teo

Reporter

Chia Xin Fang

Labels

None

Fix versions

Affects versions

Priority

Major
Configure