Skip to content

Eclipse Ditto - Stored XSS on /ui/ path via Policies resources

Basic information

Project name: Eclipse Ditto

Project id: iot.ditto / https://eclipse.dev/ditto/ / https://github.com/eclipse-ditto/ditto

What are the affected versions?

latest (3.5.5) and probably also below.

Details of the issue

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). On the url: http://localhost:8080/ui/ javascript code can be stored and will get executed on other pages.

Steps to reproduce

  1. run the application
  2. navigate to http://localhost:8080/ui/
  3. navigate to "policies" via the top nav bar
  4. click on one resource via the "resources" overview. Then edit the resource via the container on the right.
  5. add "</scrip</script>t><img src =q onerror=prompt(8)>", to the "grant" json dict. image
  6. save the resource
  7. the XSS is now executed at every page reload. image

Do you know any mitigations of the issue?

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent