Eclipse Ditto - Reflected XSS on /ui/ path

Basic information

Project name: Eclipse Ditto

Project id: iot.ditto / https://eclipse.dev/ditto/ / https://github.com/eclipse-ditto/ditto

What are the affected versions?

latest (3.5.5) and probably also below.

Details of the issue

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). On the url: http://localhost:8080/ui/ javascript code can be executed.

Steps to reproduce

run the application
navigate to http://localhost:8080/ui/
enter </scrip</script>t><img src =q onerror=prompt(8)> to the input in the left corner (cp. Screenshot)

Edit: Even after removing the string from the search input it still triggers every time when switching the environments.

Do you know any mitigations of the issue?

Suitable input validation.

Edited May 17, 2024 by Quirin Zießler

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information