Actions
Bug #21442
closed
Various XSS vulnerabilities in the interface
Pull Request:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No
Description
With information from nodes:
- When running a remote run from the interface the output is not escaped
- In node details, the software tab information are not escaped
- In all nodes list (Nodes, Groups pages, etc.), the OS column is not escaped
(the last too are also visible for pending nodes so it can be trigerred from anyone in the allowed networks.
and with lower impact (potential privilege escalation inside Rudder):
- tags in rules and directives, when hovering the tag in the lists (directives and rules pages)
- api accounts details when hovering
Files
| Screenshot from 2022-07-20 17-23-25.png (47.6 KB) Screenshot from 2022-07-20 17-23-25.png | |||
| injection.json (662 Bytes) injection.json |
Updated by Alexis Mousset over 2 years ago
Updated by Nicolas CHARLES over 2 years ago
- File injection.json injection.json added
Updated by Alexis Mousset over 2 years ago
- Subject changed from Remote run output displays allows JS injections to Various XSS vulnerabilities in the interface
Updated by François ARMAND over 2 years ago
- Status changed from New to In progress
- Assignee set to François ARMAND
Updated by François ARMAND over 2 years ago
- Related to Bug #19456: Lack of HTML escaping in nodes list added
Updated by Alexis Mousset almost 2 years ago
- Status changed from In progress to Resolved
- Regression set to No
Updated by Alexis Mousset over 1 year ago
- Target version changed from old 6.1 issues to relocate to 6.1.21
Actions