[CKAN-Security] Add member input field vulnerable to reflected XSS

Georgiana Bere georgiana.bere at datopian.com
Thu Aug 1 10:42:12 UTC 2019


Hello,

I'm Georgiana Bere, one of the developers at Datopian
<https://www.datopian.com/>. We're currently working on a CKAN-based
project in collaboration with Roche. Marcin Sowa (in CC) is part of their
QA team and he discovered a security vulnerability in CKAN a few days ago.

It seems that the Add Member form can be affected by a reflected XSS. As
you will see in the screenshots JS code can inserted and run as input when
adding a member to an organization.

[image: xss-roche-member-field.png]
[image: xss-roche-popup.png]

If you need more details I'm sure Marcin would be happy to share.
Please keep us posted about any progress on this.

Many thanks,
Georgiana Bere
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190801/e7f66c82/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xss-roche-member-field.png
Type: image/png
Size: 186511 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190801/e7f66c82/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xss-roche-popup.png
Type: image/png
Size: 232687 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190801/e7f66c82/attachment-0001.png>


More information about the Security mailing list