An XSS security vulnerability was reported by Stas Kravchenko. The container title was not being sanitized on output in the container view or print label view and was allowing potential unwanted javascript execution. This has been patched and deployed.
Original report (Aug 23, 2020, 8:10 AM EST):
Details:
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end-user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output, it generates without validating or encoding it.Payload:
"><img src=x onerror=alert(1)>PoC:
Recommendations:
- Always encode untrusted data (all parameters which are submitted to the server and then rendered as part of the web page) prior to including it in web pages. The type of encoding should be selected according to the context in which the data is inserted, e.g. HTML element, HTML attribute, etc;
- HTML encoding should at minimum target the following characters: '(single quote), "(double quote), >(greater than), <(lesser than), &(ampersand), /(forward slash) and \ (backslash) but again this will depend on the context.
- Validate user input (including all hidden fields) and verify it is of the proper length, type, and range;
- Input validation should be based on a white-list approach (i.e. the the application should accept and process only expected input) whenever possible;
- Always implement input validation on the server-side; validation made on the client-side cannot be relied on;
- It is important to use common and proven output encoding and input validation libraries/functions.
Reference:
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
