## Graylog Security findings

Hello there all,
We did a scan pentest on graylog and we found the following which is consider to be a finding - and We would like to know if this could be a potential threat to Graylog system, please advise.

Severity: Medium - Remove/Encode user’s input before saving them to the database.

URL:
https://graylog.test.test/api/events/definitions/6641a7af1dbd0348d6c2296d?schedule=true
https://graylog.test.test/api/users/65ae10b1b7ac0e3dafbfbf29

Risk:
During the testing, it was observed that the application is missing input validation on user’s input fields.

Potential Causes:
The application should implement input validation by removing or encoding special characters received in user’s request input fields before saving them to the database.
In this case, application was not validating the input provides by the user in the input fields.

Remediation Recommendation:

  1. Remove/Encode user’s input before saving them to the database.

Reproduction Steps for Alert Page:

  1. Login with user admin user (PENTEST). Click on ALERTS.
  2. Capture the request and send to repeater.
  3. Change the title and description fields data with XSS payload “” .
  4. Click on Send, now go to browser → Alerts.

I quired the MongoDB database and found it to save this injection.

    ],
    "auth_service_uid" : null,
    "last_name" : "Tester",
    "account_status" : "enabled",
    "password" : "{bcrypt}$2a$10$8jIp37ssdsdasdasdasdasdasdasdasasasdasdas435325WTsiuqeW42eLCsu{salt}$2a$10$8jIp37tBiHKtBhU8T/aQH.",
    "full_name" : "<script>alert(1)</script> Tester",
    "session_timeout_ms" : NumberLong(3600000),
    "permissions" : [ ],
    "external_user" : false,
    "first_name" : "<script>alert(1)</script>",
    "email" : "me.user@vvv.com",
    "username" : "pentest"

}

Which mongo collection is this in? Having trouble following the repro steps.