GHSA-pf56-h9qf-rxq4: 
JavaScript vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Saltcorn Server's event logs page affecting versions <=1.0.0-beta.13. The vulnerability (GHSA-pf56-h9qf-rxq4) was disclosed on October 6, 2024, and stems from improper sanitization of event log data in the @saltcorn/server npm package (GitHub Advisory).

The vulnerability exists in the event logs page where user input from event payloads is not properly sanitized before being rendered in the admin panel. The issue is specifically located in the eventlog.js file where the payload data is directly inserted into the HTML without proper escaping. The vulnerability has been assigned a moderate severity rating with a CVSS score of 5.1 (GitHub Advisory).

When exploited, this vulnerability allows non-admin users with table read/write permissions to inject malicious JavaScript code that will be executed in the event log admin panel when event logs are enabled. This creates a stored XSS condition where the malicious code persists in the application and executes when an administrator views the event logs (GitHub Advisory).

The vulnerability has been patched in version 1.0.0-beta.16. The fix involves properly sanitizing user input before building HTML elements. Users are advised to upgrade to version 1.0.0-beta.16 or later to address this security issue (GitHub Commit).