CVE-2023-38350: Fix XSS in AJAX controller for basket by martialblog · Pull Request #16 · pnp4nagios/pnp4nagios

Hi,

the AJAX controller allows for stored cross site scripting due to missing input validation.

Before this fix you could send and store arbitrary characters via the basket API and filters

Examples:

• item="><svg/onclick=alert(‘foobar’)> in add/basket
• sfilters="><svg/onclick=alert(‘foobar’)>

curl ‘http://localhost:8080/pnp4nagios//ajax/basket/add’ --compressed -X POST -H ‘Accept: */*’ -H ‘Accept-Language: en-US,en;q=0.5’ -H ‘Accept-Encoding: gzip, deflate, br’ -H ‘Referer: http://localhost:8080/pnp4nagios/graph?host=.pnp-internal&srv=runtime’ -H ‘Origin: http://localhost:8080’ -H ‘Connection: keep-alive’ -H ‘Sec-Fetch-Site: same-origin’ -H ‘Content-Type: application/x-www-form-urlencoded; charset=UTF-8’ -H ‘X-Requested-With: XMLHttpRequest’ -H ‘Pragma: no-cache’ -H ‘Cache-Control: no-cache’ --data-raw $’item="><svg/onclick=alert(\’foobar\’)>’