Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS scripting in bootstrap <3.3.7 #4603

Closed
pbr0ck3r opened this issue Feb 21, 2018 · 3 comments
Closed

XSS scripting in bootstrap <3.3.7 #4603

pbr0ck3r opened this issue Feb 21, 2018 · 3 comments
Assignees
@edmundoa
Labels
bug triaged
Milestone
3.0.0

Comments

@pbr0ck3r
Copy link
Contributor

Expected Behavior

Don't allow XSS.

Current Behavior

Bootstrap 3.3.7 is are vulnerable to Cross-Site Scripting (XSS) attacks via the data-target attribute.
https://snyk.io/vuln/npm:bootstrap:20160627
Fixed in: twbs/bootstrap#23687

Possible Solution

  • Update to bootstrap 4.0.0 or version 3.4.0 when it is released (currently in dev).

Steps to Reproduce (for bugs)

Context

  • Security Vulnerability

Your Environment

  • Graylog Version: 2.4.3
  • Elasticsearch Version: 6.1.2
  • MongoDB Version: 3.6.2
  • Operating System: Mac OS High Seirra
  • Browser version: Firefox/Chrome
@dennisoelkers
Copy link
Member

dennisoelkers commented Mar 9, 2018
edited
Loading

Thanks for reporting this, @pbr0ck3r. Is this an issue that is actually affecting us or is this a theoretical issue because we use an affected dependency but not in a way that allows exploitation of the issue?

@pbr0ck3r
Copy link
Contributor Author

It does not directly affect graylog core code base. But is a theoretical issue. If anyone where to have a plugin containing similar to the following code pointing to a malicious site, or scraping data.

<button data-toggle="collapse" data-target="<img src=x onerror=alert(0)>">Test</button>

It is suggested to update bootstrap to fix this vulnerability.

@no-response no-response bot removed the needs-input label Mar 13, 2018
@joschi
Copy link
Contributor

joschi commented Mar 13, 2018

@pbr0ck3r Thanks for providing these details!

Right now, we're blocked until Bootstrap 3.4.0 has been released: twbs/bootstrap#25679

@jalogisch jalogisch added this to the 3.0.0 milestone Mar 19, 2018
@joschi joschi mentioned this issue Jul 4, 2018
Closed
@bernd bernd removed this from the 3.0.0 milestone Nov 16, 2018
@edmundoa edmundoa added this to the 3.0.0 milestone Dec 14, 2018
@edmundoa edmundoa self-assigned this Dec 14, 2018
edmundoa pushed a commit that referenced this issue Dec 14, 2018
Upgrade to bootstrap 3.4.0
eee0749 
Fixes #4603
@edmundoa edmundoa mentioned this issue Dec 14, 2018
Merged
@bernd bernd closed this as completed in 98b8605 Dec 19, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@edmundoa edmundoa

Labels
bug triaged
Projects
None yet
Milestone
3.0.0
Development

No branches or pull requests
6 participants
@bernd @dennisoelkers @joschi @jalogisch @edmundoa @pbr0ck3r