CVE-2019-15478

Vulnerability

Overview Status Board 1.1.81 contains a reflected cross-site scripting (XSS) vulnerability in logic.ts. The application fails to sanitize user input, allowing arbitrary JavaScript to be reflected back to users without proper escaping [1][2].

Exploitation

An attacker can craft a malicious URL containing the XSS payload and trick a user into visiting it. No authentication is required, as the vulnerability is present in the rendering logic for dashboards [2][4]. The fix removed the direct inclusion of user-controlled input in the response message [4].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim’s browser. This can lead to session hijacking, credential theft, or defacement of the application [2][3].

Mitigation

The vulnerability was fixed in a pull request that sanitizes the response message [1]. The fix was merged into the master branch but has not been published as a new release. Users are advised to apply the patch manually or update to a future version that includes the fix [2][3].