Project

General

Profile

Actions
Copy link

Bug #21468

closed

Bug #21442: Various XSS vulnerabilities in the interface

XSS in API account description

Added by Alexis Mousset over 2 years ago. Updated over 1 year ago.

Status:
Released
Priority:
N/A
Assignee:
François ARMAND
Category:
Security
Target version:
7.1.3
Pull Request:
https://github.com/Normation/rudder/p...
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:

Description

Even if the API accound management is now implemented in Elm it is vulnerable to an XSS in the description tooltip as we build it as raw string inside an attribute.

The impact here is low as the API accounts page or API is only available to administrators.

Actions
Copy link
 #1

Updated by Alexis Mousset over 2 years ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions
Copy link
 #2

Updated by Alexis Mousset over 2 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder/pull/4393
Actions
Copy link
 #3

Updated by Alexis Mousset over 2 years ago

  • Parent task set to #21442
Actions
Copy link
 #4

Updated by Alexis Mousset over 2 years ago

  • Status changed from Pending technical review to Pending release
Actions
Copy link
 #5

Updated by Alexis Mousset over 2 years ago

  • Target version changed from 7.1.4 to 7.1.3
Actions
Copy link
 #6

Updated by Alexis Mousset over 2 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 7.1.3 which was released today.

Actions
Copy link
 #7

Updated by Alexis Mousset over 1 year ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF