[CKAN-Security] Client Side XSS
Cody B
codywboyko at gmail.com
Fri Nov 22 20:47:04 UTC 2019
Afternoon,
A recent Penetration Test has uncovered a few vulnerabilities. I'll try to
flag applicable ones to CKAN core, first up is client side XSS.
This seems to be coming from bootstrap 3 and Jquery 3. Both are
susceptible to a few vulnerabilities including cross-site scripting.
So in general, they should be upgraded but I know bootstrap upgrade would
take quite a bit of time and we just got to 3.
A more specific example are any autocomplete drop down fields. All seem to
execute JS quite easily. e.g. (resource format field try entering
<script>alert(document.cookie)</script>). the autocomplete.js file seems to
rely on jquery, and I'm assuming at this point that is where the issue
resides.
Will update as I have more to share.
Thanks,
Cody
--
You received this message because you are subscribed to the Google Groups "CKAN Security" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security+unsubscribe at ckan.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20191122/5ff2e855/attachment.html>
More information about the Security
mailing list