Dashboard SIM names vulnerable to XSS [Solved]


#1

The Hologram SIM names are not escaped for HTML tags when loaded onto the page, eg. if you change the name of a sim to:

<img src=x onerror=alert('X')>xx

It will display a javascript popup message. Though not really exploitable, it could lead to unwanted side effects etc. if performed in an organisational account. This may be present amongst other forms on the site as well.


#2

Hi there, front-end developer here at Hologram. Thanks for letting us know about this vulnerability - everything is escaped via React except for one component which you have found. It has been addressed and will be fixed in production shortly.

Thanks again.


#3