PT-2026-22402 · Canarytokens · Canarytokens Pwa
Arkmarta
·
Publicado
2026-02-27
·
Atualizado
2026-02-28
·
CVE-2026-28355
CVSS v4.0
1.3
Baixa
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Canarytokens versions prior to
sha-7ff0e12Description
The Canarytokens PWA Canarytoken has a Self Cross-Site Scripting issue. A Canarytoken creator can execute Javascript code by inserting it into the title field of their PWA token. This allows the creator to attack themselves or anyone they share the link with. When a victim clicks on the installation link, the Javascript code executes. However, no sensitive information is disclosed to a malicious actor.
Recommendations
Update to a Docker image after
sha-7ff0e12 or pull the latest Docker image from Canarytokens.org.Correção
XSS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Canarytokens Pwa