Eclipse Ditto - Reflected XSS on /ui/ path
Basic information
Project name: Eclipse Ditto
Project id: iot.ditto / https://eclipse.dev/ditto/ / https://github.com/eclipse-ditto/ditto
What are the affected versions?
latest (3.5.5) and probably also below.
Details of the issue
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). On the url: http://localhost:8080/ui/ javascript code can be executed.
Steps to reproduce
- run the application
- navigate to http://localhost:8080/ui/
- enter
</scrip</script>t><img src =q onerror=prompt(8)>to the input in the left corner (cp. Screenshot)
Edit: Even after removing the string from the search input it still triggers every time when switching the environments.
Do you know any mitigations of the issue?
Suitable input validation.
Activity
Greetings @quirinziessler are there any other researchers who should be credited in this CVE?
Regarding the opening of multiple vulnerability reports, we thank you for taking the time and effort to track down every vulnerable input but will evaluate on the assignment of multiple CVEs for the same application, version and vulnerability.Hi @tiagolucas for my three findings I am the only researcher. I know my colleague also found some after taking this topic over. If you want to merge all of the findings to a single CVE, feel free to do so but please mention us both in it.
@quirinziessler @tjaeckle we have one CVE entry for now. We'll credit all researchers.
@quirinziessler if there are two of you, I have everyone
@mrybczyn exactly. Manuel Sommer and me.
assigned to @geglocker and @tjaeckle
@tiagolucas will we get access to the other created GitLab issues?
I assume all are related to inproper input validation (XSS) at the Ditto Web-UI?
Edited by Thomas Jaeckle
mentioned in issue #202 (closed)
