Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-854

Cross-Site Scripting (XSS) Vulnerability allows to inject HTML and script code to REST API calls (CVE-2020-6854)

    XMLWordPrintable

Details

    • CVE-2020-6854

    Description

      Vulnerability

      • An XSS vulnerability was identified when processing JSON input with JOC Cockpit, see http://en.wikipedia.org/wiki/Cross-site_scripting
        • An attack allows to inject HTML and subsequently JavaScript code when using JOC Cockpit REST calls with string properties.
      • Severity Level: MEDIUM
        • in order to take advantage of the vulnerability, you must have a valid account in the application that allows you to perform a specific action. The attacker must therefore be the holder of account credentials with privileges for vulnerable views.

      Mitigation

      • The JSON inside a Web Service request is validated against a schema which limits the range of allowed characters.

      Attachments

        Activity

          People

            oh Oliver Haufe
            oh Oliver Haufe
            Kanika Agrawal Kanika Agrawal
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: