Eclipse Ditto - Stored XSS on /ui/ path via Policies resources

Basic information

Project name: Eclipse Ditto

Project id: iot.ditto / https://eclipse.dev/ditto/ / https://github.com/eclipse-ditto/ditto

What are the affected versions?

latest (3.5.5) and probably also below.

Details of the issue

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). On the url: http://localhost:8080/ui/ javascript code can be stored and will get executed on other pages.

Steps to reproduce

  1. run the application
  2. navigate to http://localhost:8080/ui/
  3. navigate to "policies" via the top nav bar
  4. click on one resource via the "resources" overview. Then edit the resource via the container on the right.
  5. add "</scrip</script>t><img src =q onerror=prompt(8)>", to the "grant" json dict. image
  6. save the resource
  7. the XSS is now executed at every page reload. image

Do you know any mitigations of the issue?

Copyright © Eclipse Foundation AISBL. All rights reserved.     Privacy Policy | Terms of Use | Copyright Agent