EIQ-2020-0004



ID

EIQ-2020-0004

CVE

-

Description

Attacker can hide malicious JavaScript code in entity hyperlink

Date

05 Feb 2020

Severity

3 - HIGH

CVSSv3 score

CVSSv3 score not available on NIST NVD .


Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.7.0

Assessment

It is possible for an entity that is ingested to contain malicious JavaScript code.
The entity's details can contain a hyperlink reference in which, hidden in the hyperlink's HTML code, the URL in the <href> attribute has been replaced by a JavaScript executable.
If a platform user clicks the hyperlink, the JavaScript code will execute.

Any JavaScript code in an <href> attribute has all the authorizations of the user who clicks the link.
Depending on the user's authorizations, a threat agent could, for example, create a user account with which to sign in to the platform instance concerned, steal information, and send it to a remote host, or even intercept user input.

Mitigation

Upgrade to EclecticIQ Platform 2.7.0 or later.

Affected versions

2.6.0 and earlier.

Notes

-

< Back to all security issues and mitigation actions

In release notes 2.7.0