[CKAN-Security] Client Side XSS
Adrià Mercader
adria.mercader at okfn.org
Mon Nov 25 13:30:01 UTC 2019
Hi Cody,
Thanks a lot for your report. Any help on this front will be appreciated
Adrià
On Fri, 22 Nov 2019 at 21:47, Cody B <codywboyko at gmail.com> wrote:
> Afternoon,
>
> A recent Penetration Test has uncovered a few vulnerabilities. I'll try to
> flag applicable ones to CKAN core, first up is client side XSS.
>
> This seems to be coming from bootstrap 3 and Jquery 3. Both are
> susceptible to a few vulnerabilities including cross-site scripting.
>
> So in general, they should be upgraded but I know bootstrap upgrade would
> take quite a bit of time and we just got to 3.
>
> A more specific example are any autocomplete drop down fields. All seem to
> execute JS quite easily. e.g. (resource format field try entering
> <script>alert(document.cookie)</script>). the autocomplete.js file seems to
> rely on jquery, and I'm assuming at this point that is where the issue
> resides.
>
> Will update as I have more to share.
>
> Thanks,
> Cody
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "CKAN Security" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security+unsubscribe at ckan.org.
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20191125/b985daf9/attachment-0001.html>
More information about the Security
mailing list