Stored XSS through policies subject

Basic information

Project name: Eclipse Ditto

Project id: https://eclipse.dev/ditto/ / https://github.com/eclipse-ditto/ditto

What are the affected versions?

latest (3.5.5) and probably also below.

Details of the issue

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). On the url: http://localhost:8080/ui/ javascript code can be executed.

Steps to reproduce:

visit the following link: http://localhost:8080/ui/?primaryEnvironmentName=ditto_sandbox#
enter this <IMG SRC=x onerror=prompt(999)></img> into Subjects:
Press update

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information