EIQ-2020-0005



ID

EIQ-2020-0005

CVE

-

Description

HTML injection through task name

Date

05 Feb 2020

Severity

1 - LOW

CVSSv3 score

CVSSv3 score not available on NIST NVD .

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.7.0

Assessment

It is possible to inject a third-party image into the platform using the style attribute of an HTML <strong> tag in the Name field of tasks, datasets and graphs.
When a platform user edits or deletes one of these components, the corresponding notification renders the injected image.
This results in a request for the image being sent to a remote server, which exposes data included in the HTTP request, such as the user's IP address.

Only images can be injected. EclecticIQ Platform uses DOMPurify, which strips HTML code of attributes that could contain any sort of script.

Mitigation

Upgrade to EclecticIQ Platform 2.7.0 or later

Affected versions

2.6.0 and earlier.

Notes

-

< Back to all security issues and mitigation actions

In release notes 2.7.0