Hisokix01B5C6D9F-941E-4DD7-A964-42B53D6826B0Application allows large characters to insert in the input field "Add new table" on the create field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in
EPSS
Percentile
33.0%
Proof of Concept
Go to http://localhost:8080/dashboard/#/projects
Select any created project and go to the project section.
Click on the “ADD/IMPORT” section and click on “add new table”
Create Fill the “table name” field with huge characters, (more than 1 lakh) Copy the below payload and put it in the input fields, and click on continue. You will see the application accepts large characters and if we will increase the characters then it can lead to Dos. ('It also affects the reflects on URL, So that large string in URL also blocks the user section)
Download the payload from here:
https://drive.google.com/file/d/13IK67Sx93nvnb_3gLUBDLgoEC7XTQiso/view?usp=sharing
Video & Image POC:
https://drive.google.com/file/d/1geJOi6lrl6gFQcwZ9ybeJhehU4NX9siL/view?usp=sharing
Patch recommendation:
The Project name input should be limited to 50 characters or a max of 100 characters.
Related
