CVE-2021-36603: Cross-site scripting vulnerability · Issue #12221 · arendst/Tasmota

PROBLEM DESCRIPTION

I’ve identified a Cross-site scripting vulnerability (XSS) in the web interface of Tasmota 6.5.0. Unfortunately, I can not check if the current release is also affected. It would be nice if someone could check this out and give me feedback.

REQUESTED INFORMATION

Make sure your have performed every step and checked the applicable boxes before submitting your issue. Thank you!

• [ x] Read the Contributing Guide and Policy and the Code of Conduct
• [ x] Searched the problem in issues
• [x ] Searched the problem in discussions
• Searched the problem in the docs
• Searched the problem in the chat
• Device used (e.g., Sonoff Basic): _____
• Tasmota binary firmware version number used: _____
  • Pre-compiled
  • Self-compiled
• Flashing tools used: _____
• Provide the output of command: Backlog Template; Module; GPIO 255:

Configuration output here:

• If using rules, provide the output of this command: Backlog Rule1; Rule2; Rule3:

• Provide the output of this command: Status 0:

• Set weblog to 4 and then, when you experience your issue, provide the output of the Console log:

TO REPRODUCE

Navigate to “Configuration” - “Configure Other” and insert the following sting in the field "Friendly Name 1":
"/><script>alert(1)</script>

After that, a JavaScript alert box should appear if the version is vulnerable.

EXPECTED BEHAVIOUR

A clear and concise description of what you expected to happen.

SCREENSHOTS

If applicable, add screenshots to help explain your problem.

ADDITIONAL CONTEXT

Add any other context about the problem here.

(Please, remember to close the issue when the problem has been addressed)