Security Vulnerability - Stored Cross Site Scripting #51
Comments
|
Hi, |
|
I'm not overly filmier with the changes between the versions. If there is a need for a user to stay on versions 3.2.0.0, 3.1.0.0 or 3.0.4.0 then I think going back and resolving the issue would be worth it. If not, I would recommend for users to upgrade to the latest. |
|
I will test the effort with 3.2.0.0. I think it it's not much, but yeah I often thought that in the past. We will see. I will post an update here when I have more insights. |
|
Backported a fix for:
I added a small section in the Readme, which will mention this to encourage users to update. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
WireMock with GUI versions
3.2.0.0through3.0.4.0are vulnerable to stored cross-site scripting (SXSS) through the recording feature. An attacker can host a malicious payload and perform a test mapping pointing to the attacker's file, and the result will render on theMatchedpage in theBodyarea, resulting in the execution of the payload. This occurs because the response body is not validated or sanitized.Tested Versions
3.2.0.0
3.1.0.0
3.0.4.0
POC
Recommendations
Follow the offical Wiremock documentation to prevent proxying to unintended locations.
Update to the latest release of Wiremock with GUI.
References
CVE-2023-50069
https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses
CVSS
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
The text was updated successfully, but these errors were encountered: