Skip to content

Eclipse Ditto - XSS on /ui/ path via Environments name

Basic information

Project name: Eclipse Ditto

Project id: iot.ditto / https://eclipse.dev/ditto/ / https://github.com/eclipse-ditto/ditto

What are the affected versions?

latest (3.5.5) and probably also below.

Details of the issue

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). On the url: http://localhost:8080/ui/ javascript code can be stored and will get executed on other pages.

Steps to reproduce

  1. run the application
  2. navigate to http://localhost:8080/ui/
  3. select environments via the top navigation bar
  4. edit a environment and name it </scrip</script>t><img src =q onerror=prompt(8)> image
  5. save the environment and refresh the page. You will get an prompt(8) on every reload of the /ui/ page. image

Do you know any mitigations of the issue?

Proper input validation

Edited by Quirin Zießler
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent