FastAPI-Admin - [Vulnerability Report] - Stored XSS in Category function. · Issue #182 · fastapi-admin/fastapi-admin · GitHub
Skip to content

FastAPI-Admin - [Vulnerability Report] - Stored XSS in Category function. #182

Description

@mohit121312

A stored XSS vulnerability was discovered in the Category module of FastAPI-Admin. Malicious JavaScript code injected into a form field (e.g. Category Name) is stored in the backend and rendered without proper sanitization. When an admin or any user visits the category list or detail view, the script executes in their browser context.

Steps To Reproduce:

  1. Use browser to visit (https://fastapi-admin-pro.long2ice.io/admin/login): admin/123456
  2. Navigate to category and click on create button

Image
Image

3.insert <svg onload=alert(document.cookie)> in name field, click save, then browser popup cookie.

Image

Image

Mitigation & Recommendation:

### To prevent stored XSS and reduce the attack surface:
1. Input Sanitization:
• Sanitize all user-supplied input before storage using libraries like bleach in Python to strip/escape dangerous HTML/JavaScript content.
2. Output Encoding:
• Ensure all dynamic content is properly HTML-encoded before rendering into templates or views.
• Apply context-aware encoding (e.g., HTML, JS, URL) based on where the data is rendered.
3. Set HttpOnly on Cookies:

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions