[CKAN-Security] Client Side XSS

• Previous message: [CKAN-Security] Client Side XSS
• Next message: [CKAN-Security] Outdated jQuery 3.2.1 in CKAN 2.8.3
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Cody,

Thanks a lot for your report. Any help on this front will be appreciated

Adrià


On Fri, 22 Nov 2019 at 21:47, Cody B <codywboyko at gmail.com> wrote:

> Afternoon,
>
> A recent Penetration Test has uncovered a few vulnerabilities. I'll try to
> flag applicable ones to CKAN core, first up is client side XSS.
>
> This seems to be coming from bootstrap 3 and Jquery 3.  Both are
> susceptible to a few vulnerabilities including cross-site scripting.
>
> So in general, they should be upgraded but I know bootstrap upgrade would
> take quite a bit of time and we just got to 3.
>
> A more specific example are any autocomplete drop down fields. All seem to
> execute JS quite easily.  e.g. (resource format field try entering
> <script>alert(document.cookie)</script>). the autocomplete.js file seems to
> rely on jquery, and I'm assuming at this point that is where the issue
> resides.
>
> Will update as I have more to share.
>
> Thanks,
> Cody
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "CKAN Security" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security+unsubscribe at ckan.org.
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20191125/b985daf9/attachment-0001.html>

• Previous message: [CKAN-Security] Client Side XSS
• Next message: [CKAN-Security] Outdated jQuery 3.2.1 in CKAN 2.8.3
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]