EIQ-2018-0017

ID

EIQ-2018-0017

CVE

-

Description

HTML injection through the GUI

Date

05 Jun 2019

Severity

2 - MEDIUM

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.5.0

Assessment

Some manual input fields in the GUI parse HTML, instead of rendering it as raw source.
For example, this occurs in the Details input field in a workspace dashboard view, when users are in edit mode.

The code is sanitized to prevent cross-site scripting (XSS) injection attacks.
However, it is still possible to inject HTML containing redirects.

As a consequence, a form submission button can be injected with HTML containing redirects to external sites and resources.

Mitigation

-

Affected versions

2.3.0 to 2.4.0 included.

Notes

Former refs: 25750; 36511

This issue was closed as solved in release 2.4.0.
However, the problem persisted.

We reopened it with a planned solution available in release 2.5.0.
images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg The date in the Date field refers to the point in time when the issue was reopened.

< Back to all security issues and mitigation actions

In release notes 2.5.0