Bynder Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Bynder version 0.1.394. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload. The issue arises when the application processes and displays the injected content without proper sanitization, enabling the execution of malicious scripts in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected content.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the collections section. Create a new collection and name it with an XSS payload, such as an image tag (img) with an 'onmouseover' event. After saving the collection, go to the dashboard and search for the collection name. Hover over it to trigger the XSS payload, which will execute the injected script, such as an alert displaying the document domain.