Bug #13125
XSS vulnerability in 2.5.x
Status: | Verified | Start date: | 07/29/2019 | |
---|---|---|---|---|
Priority: | Critical | Due date: | ||
Assignee: | - | % Done: | 0% | |
Category: | Security | |||
Target version: | Release 2.5.2 | |||
Google Code Legacy ID: | Tested version: | 2.5, 2.6 | ||
Sponsored: | No | Requires documentation: |
Description
We are seeing a XSS exploit on 2.5.1 at the following URL /informationobject/browse?view=card"><script>alert(150)</script>&onlyMedia=1&topLod=0 I couldn't replicate on the demo site which is running 2.4.1, so it appears to have been introduced after 2.4.1.
It looks like Chrome is blocking the attack but I could reproduce in Firefox. Markdown support should be enabled for this to happen.
History
#1 Updated by José Raddaoui Marín almost 3 years ago
- Status changed from In progress to QA/Review
- Assignee changed from José Raddaoui Marín to Dan Gillean
Fixed in qa/2.6.x (PR).
Please, let me know if you want to give it a try before cherry-picking to stable/2.5.x.
#2 Updated by Dan Gillean almost 3 years ago
- Status changed from QA/Review to Feedback
- Assignee changed from Dan Gillean to José Raddaoui Marín
Hey Radda,
Using the provided example URL in my vagrant box running qa/2.6.x, I can still get the 150 dialog in Firefox.
#3 Updated by José Raddaoui Marín almost 3 years ago
- Status changed from Feedback to QA/Review
- Assignee changed from José Raddaoui Marín to Dan Gillean
Sorry Dan, I was pushing to Github instead of to Gitolite and the commit got removed at some point from qa/2.6.x. It should be in there now ;)
#4 Updated by Dan Gillean almost 3 years ago
- Status changed from QA/Review to Verified
- Assignee changed from Dan Gillean to José Raddaoui Marín
Works this time! Feel free to backport :)
#5 Updated by José Raddaoui Marín almost 3 years ago
Added to stable/2.5.x.
#6 Updated by Dan Gillean almost 3 years ago
Confirmed working in stable/2.5.x as well. Thanks!
#7 Updated by José Raddaoui Marín over 2 years ago
- Status changed from Verified to Code Review
This came back, in this case using the "startDate" and "endDate" fields from the IO advanced search panel:
#8 Updated by Mike Cantelon over 2 years ago
- Status changed from Code Review to Feedback
Your PR looks good to me!
#9 Updated by José Raddaoui Marín over 2 years ago
- Status changed from Feedback to QA/Review
- Assignee changed from José Raddaoui Marín to Dan Gillean
Thanks Mike! Merged in qa/2.6.x.
#10 Updated by Dan Gillean over 2 years ago
- Status changed from QA/Review to Feedback
- Assignee changed from Dan Gillean to José Raddaoui Marín
Looks good! Please backport to stable :)
#11 Updated by José Raddaoui Marín over 2 years ago
- Status changed from Feedback to QA/Review
- Assignee changed from José Raddaoui Marín to Dan Gillean
Added to stable/2.5.x
#12 Updated by Dan Gillean over 2 years ago
- Status changed from QA/Review to Verified
- Assignee deleted (
Dan Gillean)
#13 Updated by Dan Gillean over 2 years ago
- Private changed from Yes to No
- Tested version 2.6 added
Now that 2.5.2 has been released with a patch for this issue, making it public again so we can reference it in our release notes, per our new Security Policy