Eclipse Ditto - Reflected XSS on /ui/ path
Basic information
Project name: Eclipse Ditto
Project id: iot.ditto / https://eclipse.dev/ditto/ / https://github.com/eclipse-ditto/ditto
What are the affected versions?
latest (3.5.5) and probably also below.
Details of the issue
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). On the url: http://localhost:8080/ui/ javascript code can be executed.
Steps to reproduce
- run the application
- navigate to http://localhost:8080/ui/
- enter
</scrip</script>t><img src =q onerror=prompt(8)>
to the input in the left corner (cp. Screenshot)
Edit: Even after removing the string from the search input it still triggers every time when switching the environments.
Do you know any mitigations of the issue?
Suitable input validation.