EIQ-2020-0004#

ID

EIQ-2020-0004

CVE

-

Description

Attacker can hide malicious JavaScript code in entity hyperlink

Date

05 Feb 2020

Severity

3 - HIGH

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

✅ 2.7.0

Assessment

It is possible for an entity that is ingested to contain malicious JavaScript code.

The entity’s details can contain a hyperlink reference in which, hidden in the hyperlink’s HTML code, the URL in the href attribute has been replaced by a JavaScript executable.

If a platform user clicks the hyperlink, the JavaScript code will execute.

Any JavaScript code in an href attribute has all the authorizations of the user who clicks the link.

Depending on the user’s authorizations, a threat agent could, for example, create a user account with which to sign in to the platform instance concerned, steal information, and send it to a remote host, or even intercept user input.

Mitigation

Upgrade to EclecticIQ Platform 2.7.0 or later.

Affected versions

2.6.0 and earlier.

Notes

-