Skip to content

Eclipse Ditto - Reflected XSS on /ui/ path

Basic information

Project name: Eclipse Ditto

Project id: iot.ditto / https://eclipse.dev/ditto/ / https://github.com/eclipse-ditto/ditto

What are the affected versions?

latest (3.5.5) and probably also below.

Details of the issue

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). On the url: http://localhost:8080/ui/ javascript code can be executed.

Steps to reproduce

  1. run the application
  2. navigate to http://localhost:8080/ui/
  3. enter </scrip</script>t><img src =q onerror=prompt(8)> to the input in the left corner (cp. Screenshot) image

Edit: Even after removing the string from the search input it still triggers every time when switching the environments.

Do you know any mitigations of the issue?

Suitable input validation.

Edited by Quirin Zießler
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent