ansibleguy/webui

Problem: Potential Cross-site scripting

ntrampham opened this issue · 9 comments

Versions

latest

Scope

Backend (API)

Issue

Report.pdf

Greetings!

Thank you for reporting this issue. Had overlooked that validation.

Hi

Would you mind publishing a CVE for this?

I actually do not know how to publish a CVE. Would have to read into it..
Using this form? https://cveform.mitre.org/

Yes, absolutely right!

That would be great if you can setup a security policy for the repo you own here https://github.com/ansibleguy/webui/security.

This would allow users to draft a report on their own. You will then only need to approve and publish it. Ref: https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory#

Alright. Have added the policy and security advisories are now enabled.
Would you mind testing the validation-fix in version 0.0.21?

Fix looks good. I am no longer able to reproduce the vulnerability. Please go ahead and publish a security advisory for this.

Here you go: GHSA-927p-xrc2-x2gj

Thank you again for reporting it.

Have a nice day

Note: CSP is configured since the last release.
This feature helps prevent XSS in possible future vulnerabilities.
5cbe2f8