Eclipse Ditto - XSS on /ui/ path via Environments name

Basic information

Project name: Eclipse Ditto

Project id: iot.ditto / https://eclipse.dev/ditto/ / https://github.com/eclipse-ditto/ditto

What are the affected versions?

latest (3.5.5) and probably also below.

Details of the issue

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). On the url: http://localhost:8080/ui/ javascript code can be stored and will get executed on other pages.

Steps to reproduce

  1. run the application
  2. navigate to http://localhost:8080/ui/
  3. select environments via the top navigation bar
  4. edit a environment and name it </scrip</script>t><img src =q onerror=prompt(8)> image
  5. save the environment and refresh the page. You will get an prompt(8) on every reload of the /ui/ page. image

Do you know any mitigations of the issue?

Proper input validation

Edited by Quirin Zießler

Copyright © Eclipse Foundation AISBL. All rights reserved.     Privacy Policy | Terms of Use | Copyright Agent