Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem: Potential Cross-site scripting #44

Closed
ntrampham opened this issue May 17, 2024 · 9 comments
Closed

Problem: Potential Cross-site scripting #44

ntrampham opened this issue May 17, 2024 · 9 comments
Assignees
@ansibleguy
Labels
bug Something isn't working security Security

Comments

@ntrampham
Copy link

Versions

latest

Scope

Backend (API)

Issue

Report.pdf
@ntrampham ntrampham added problem Problem triage Triage labels May 17, 2024
@ansibleguy ansibleguy added bug Something isn't working security Security and removed triage Triage problem Problem labels May 20, 2024
@ansibleguy ansibleguy self-assigned this May 20, 2024
ansibleguy added a commit that referenced this issue May 20, 2024
@ansibleguy
added validation against XSS (#44)
7737b47
@ansibleguy
Copy link
Owner

Greetings!

Thank you for reporting this issue. Had overlooked that validation.

@ntrampham
Copy link
Author

Hi

Would you mind publishing a CVE for this?

@ansibleguy
Copy link
Owner

I actually do not know how to publish a CVE. Would have to read into it..
Using this form? https://cveform.mitre.org/

@ntrampham
Copy link
Author

Yes, absolutely right!

@ntrampham
Copy link
Author

That would be great if you can setup a security policy for the repo you own here https://github.com/ansibleguy/webui/security.

This would allow users to draft a report on their own. You will then only need to approve and publish it. Ref: https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory#

@ansibleguy
Copy link
Owner

Alright. Have added the policy and security advisories are now enabled.
Would you mind testing the validation-fix in version 0.0.21?

@ntrampham
Copy link
Author

Fix looks good. I am no longer able to reproduce the vulnerability. Please go ahead and publish a security advisory for this.

@ansibleguy
Copy link
Owner

ansibleguy commented May 28, 2024
edited
Loading

Here you go: GHSA-927p-xrc2-x2gj

Thank you again for reporting it.

Have a nice day

@superstes
Copy link

superstes commented Aug 28, 2024
edited
Loading

Note: CSP is configured since the last release.
This feature helps prevent XSS in possible future vulnerabilities.
5cbe2f8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ansibleguy ansibleguy

Labels
bug Something isn't working security Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ntrampham @superstes @ansibleguy