XSS through "Adjust fields for things table "
Basic information
Project name: Eclipse Ditto
Project id: https://eclipse.dev/ditto/ / https://github.com/eclipse-ditto/ditto
What are the affected versions?
latest (3.5.5) and probably also below.
Details of the issue
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). On the url: http://localhost:8080/ui/?primaryEnvironmentName=ditto_sandbox javascript code can be executed.
Steps to reproduce:
- Visit the following URL: http://localhost:8080/ui/?primaryEnvironmentName=ditto_sandbox#
- Select a Thing ID and edit the Feature ID with the following payload: <IMG SRC=x onerror=alert('XSS')> (See screenshot)
- Press "Create", then it triggers the execution of Javascript
Edited by Manuel Sommer