Eclipse Ditto - Reflected XSS on /ui/ path
Basic information
Project name: Eclipse Ditto
Project id: iot.ditto / https://eclipse.dev/ditto/ / https://github.com/eclipse-ditto/ditto
What are the affected versions?
latest (3.5.5) and probably also below.
Details of the issue
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). On the url: http://localhost:8080/ui/ javascript code can be executed.
Steps to reproduce
- run the application
- navigate to http://localhost:8080/ui/
- enter
</scrip</script>t><img src =q onerror=prompt(8)>
to the input in the left corner (cp. Screenshot)
Edit: Even after removing the string from the search input it still triggers every time when switching the environments.
Do you know any mitigations of the issue?
Suitable input validation.
Edited by Quirin Zießler