Project

General

Profile

Actions

Bug #21468

closed

Bug #21442: Various XSS vulnerabilities in the interface

XSS in API account description

Added by Alexis Mousset over 2 years ago. Updated over 1 year ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:

Description

Even if the API accound management is now implemented in Elm it is vulnerable to an XSS in the description tooltip as we build it as raw string inside an attribute.

The impact here is low as the API accounts page or API is only available to administrators.

Actions #1

Updated by Alexis Mousset over 2 years ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions #2

Updated by Alexis Mousset over 2 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder/pull/4393
Actions #3

Updated by Alexis Mousset over 2 years ago

  • Parent task set to #21442
Actions #4

Updated by Alexis Mousset over 2 years ago

  • Status changed from Pending technical review to Pending release
Actions #5

Updated by Alexis Mousset over 2 years ago

  • Target version changed from 7.1.4 to 7.1.3
Actions #6

Updated by Alexis Mousset over 2 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 7.1.3 which was released today.

Actions #7

Updated by Alexis Mousset over 1 year ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF