CVE-2021-33570

Name of the Vulnerable Software and Affected Versions Postbird version 0.8.4

Description The issue allows for stored XSS via the onerror attribute of an IMG element in any PostgreSQL database table. This can result in reading local files via vectors involving XMLHttpRequest and open of a file:/// URL, or discovering PostgreSQL passwords via vectors involving Window.localStorage and savedConnections.

Recommendations For Postbird version 0.8.4, consider disabling the use of IMG elements with the onerror attribute in PostgreSQL database tables until a patch is available. Restrict access to local files and PostgreSQL passwords to minimize the risk of exploitation. Avoid using the Window.localStorage and savedConnections variables in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.