Stored Cross-site Scripting leading to arbitrary actions taken on behalf of users in elabftw

eLabFTW is an open source electronic lab notebook for research labs. By uploading specially crafted files, a regular user can create a circumstance where a visitor's browser runs arbitrary JavaScript code in the context of the eLabFTW application. This can be triggered by the visitor viewing a list of experiments. Viewing this allows the malicious script to act on behalf of the visitor in any way, including the creation of API keys for persistence, or other options normally available to the user. If the user viewing the page has the sysadmin role in eLabFTW, the script can act as a sysadmin (including system configuration and extensive user management roles). Users are advised to upgrade to at least version 5.0.0. There are no known workarounds for this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

eLabFTW 安全漏洞

eLabFTW是eLabFTW开源的一套开源的实验数据托管平台。该平台运行于Linux系统中，并支持存储多种对象。 eLabFTW 5.0.0之前版本存在安全漏洞。攻击者利用该漏洞可以运行任意 JavaScript 代码。

N/A

N/A