[CKAN-Security] Fwd: XSS vulnerability in email fields
Adrià Mercader
adria.mercader at okfn.org
Thu May 18 07:05:58 UTC 2017
Hi Konstantin,
Is this something you could investigate a bit to know if the vulnerability
actually exists and if there is a patch for it?
Thanks
Adrià
---------- Forwarded message ----------
From: <Jakob.Niggel at continental-corporation.com>
Date: 18 May 2017 at 07:46
Subject: [CKAN-Security] XSS vulnerability in email fields
To: Adrià Mercader <adria.mercader at okfn.org>
Hi Everyone,
we've found a XSS vulnerability in the email fields which are shown when
you create a new dataset. This can be triggered by entering
"><script>alert('foo');</script>in one of the mail fields. When a user
accesses an dataset the alert message will popup.
This is caused by the function webhelpers.html.tools.*mail_to* on which
ckan relies.
Kind regards
Jakob Niggel
Continental
Corporate IT Infrastructure - Server and Cloud Operations
C IN SC LX
Continental Automotive GmbH
Siemensstrasse 12, 93055 Regensburg, Germany
Telefon/Phone: +49 941 790-4892 <+49%20941%207904892>
E-Mail: Jakob.Niggel at continental-corporation.com
http://www.continental-corporation.com
________________________________________________________________________
Continental Automotive GmbH, Vahrenwalder Str. 9, D-30165 Hannover
Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Helmut
Matschi
Geschaeftsfuehrer/Managing Director: Georg Sistermanns, Harald Stuhlmann
Sitz der Gesellschaft/Registered Office: Hannover
Registergericht/Registered Court: Amtsgericht Hannover, HRB 59424,
USt.-ID-Nr./VAT-ID-No. DE814950663
________________________________________________________________________
Proprietary and confidential. Distribution only by express authority of
Continental AG or its subsidiaries.
als Mitarbeiter der Continental Automotive GmbH
_______________________________________________
CKAN security
https://lists.okfn.org/mailman/listinfo/security
https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
Repo: https://github.com/ckan/ckan-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170518/fcc449ca/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3679 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170518/fcc449ca/attachment-0001.jpe>
More information about the Security
mailing list