CVE-2021-26722: LinkedIn Oncall vulnerable to Cross-Site Scripting
(updated )
LinkedIn Oncall through 1.4.0 allows reflected XSS via /query because of mishandling of the “No results found for” message in the search bar.
References
- github.com/advisories/GHSA-rfw2-x9f8-2f6m
- github.com/linkedin/oncall
- github.com/linkedin/oncall/commit/843bc106a1c1b1699e9e52b6b0d01c7efe1d6225
- github.com/linkedin/oncall/issues/341
- github.com/pypa/advisory-database/tree/main/vulns/oncall/PYSEC-2021-33.yaml
- nvd.nist.gov/vuln/detail/CVE-2021-26722
- pypi.org/project/oncall
Detect and mitigate CVE-2021-26722 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →