Fava vulnerable to reflected cross-site scripting
Fava before 1.22.3 is vulnerable to reflected cross-site scripting due to improper validation on filter conversion.
Fava before 1.22.3 is vulnerable to reflected cross-site scripting due to improper validation on filter conversion.
Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.2. The query_string parameter of Fava is vulnerable to reflected cross-site scripting, for which a attacker can modify any information that the user is able to modify. This issue is fixed in version 1.22.2.
The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected cross-site scripting due to the lack of escaping of error messages which contained the parameters in verbatim.