Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Problem: Potential Cross-site scripting #44

Closed
ntrampham opened this issue May 17, 2024 · 9 comments
Closed

Problem: Potential Cross-site scripting #44

ntrampham opened this issue May 17, 2024 · 9 comments
Assignees
@ansibleguy
Labels
bug Something isn't working security Security

Comments

@ntrampham
Copy link

Versions

latest

Scope

Backend (API)

Issue

Report.pdf
@ntrampham ntrampham added problem Problem triage Triage labels May 17, 2024
@ansibleguy ansibleguy added bug Something isn't working security Security and removed triage Triage problem Problem labels May 20, 2024
@ansibleguy ansibleguy self-assigned this May 20, 2024
ansibleguy added a commit that referenced this issue May 20, 2024
@ansibleguy
added validation against XSS (#44)
7737b47
@ansibleguy
Copy link
Owner

Greetings!

Thank you for reporting this issue. Had overlooked that validation.

@ntrampham
Copy link
Author

Hi

Would you mind publishing a CVE for this?

@ansibleguy
Copy link
Owner

I actually do not know how to publish a CVE. Would have to read into it..
Using this form? https://cveform.mitre.org/

@ntrampham
Copy link
Author

Yes, absolutely right!

@ntrampham
Copy link
Author

That would be great if you can setup a security policy for the repo you own here https://github.com/ansibleguy/webui/security.

This would allow users to draft a report on their own. You will then only need to approve and publish it. Ref: https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory#

@ansibleguy
Copy link
Owner

Alright. Have added the policy and security advisories are now enabled.
Would you mind testing the validation-fix in version 0.0.21?

@ntrampham
Copy link
Author

Fix looks good. I am no longer able to reproduce the vulnerability. Please go ahead and publish a security advisory for this.

@ansibleguy
Copy link
Owner

ansibleguy commented May 28, 2024
edited
Loading

Here you go: GHSA-927p-xrc2-x2gj

Thank you again for reporting it.

Have a nice day

@superstes
Copy link
Contributor

superstes commented Aug 28, 2024
edited
Loading

Note: CSP is configured since the last release.
This feature helps prevent XSS in possible future vulnerabilities.
5cbe2f8

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@ansibleguy ansibleguy

Labels
bug Something isn't working security Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ntrampham @superstes @ansibleguy