CVE-2023-6461: Cross Site Scripting (XSS) in Layers of Image in minipaint

Valid

Reported on

Mar 17th 2023

Description

Cross site scripting vulnerability in viliusle / minipaint in Layers name of “Edit Image”

Proof of Concept

1. Go to the URL: https://viliusle.github.io/miniPaint/
2. Go to the layers option and add new layer
3. Rename Layer with payload.
4. Popup will be there.

For more understanding please check POC. POC : https://drive.google.com/file/d/1etng0zEHk6xHTnr_T6VkmM2l8AfBjdFs/view?usp=share_link

var payload = "><img src=x onerror=alert(document.domain);>

Impact

An attacker can use XSS to send a malicious script to an unsuspecting user.