Question - Stored XSS Vulnerability

While examining the platform, I saw that an input field could not be sanitized cleanly. I found that I could run JavaScript commands on the system when I sent the Stored XSS payload to the relevant input. I tried with unauthorized users, but you can only perform this vulnerability with an authorized user.

1-) Login to the system with an authorized user. The “Add” operation is performed with the “Actions” button in the upper right of the Dashboard.

2-) While adding, the following XSS payload is sent to the “KPI Title” input.



3-) When you come to the Dashboard screen after the addition is made, you will see that the relevant Alert command is running.

App Version:

I cannot upload PoC Screen Shots as I am a new user.

1 Like


Thanks for reporting.
This issue is already fixed in the enterprise, and the new community will have this fixed as well.