EIQ-2020-0005#
ID |
EIQ-2020-0005 |
|---|---|
CVE |
- |
Description |
HTML injection through task name |
Date |
05 Feb 2020 |
Severity |
1 - LOW |
CVSSv3 score |
CVSSv3 score not available on NIST NVD. |
Status |
✅ 2.7.0 |
Assessment |
It is possible to inject a third-party image into the platform using the style attribute of an HTML When a platform user edits or deletes one of these components, the corresponding notification renders the injected image. This results in a request for the image being sent to a remote server, which exposes data included in the HTTP request, such as the user’s IP address. Note Only images can be injected. EclecticIQ Platform uses DOMPurify, which strips HTML code of attributes that could contain any sort of script. |
Mitigation |
Upgrade to EclecticIQ Platform 2.7.0 or later |
Affected versions |
2.6.0 and earlier. |
Notes |
- |