XSS through "Adjust fields for things table "

Basic information

Project name: Eclipse Ditto

Project id: https://eclipse.dev/ditto/ / https://github.com/eclipse-ditto/ditto

latest (3.5.5) and probably also below.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). On the url: http://localhost:8080/ui/?primaryEnvironmentName=ditto_sandbox javascript code can be executed.

Steps to reproduce:

Visit the following URL: http://localhost:8080/ui/?primaryEnvironmentName=ditto_sandbox#
Select a Thing ID and edit the Feature ID with the following payload: <IMG SRC=x onerror=alert('XSS')> (See screenshot)
Press "Create", then it triggers the execution of Javascript

Edited May 17, 2024 by Manuel Sommer

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information