Mgmt API error page vulnerable to cross-site scripting attack #1067
Comments
|
Thanks for reporting the issue found by your security team. We'll see this fixed asap |
schabdo
changed the title
|
I would have expected that such special character within the URL are treated by Jetty. Tomcat behaves as expected: |
|
Thanks for the quick response and reaction!! |
|
Sure. I filed CVE-2020-27219 for the records |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
our security team reported an issue with our Hawkbit instance:
Request:
POST to /cgi-bin/<script>xss-test<script>.asp
Response:
{"timestamp":"2021-01-11T07:18:10.650+0000","status":404,"error":"Not Found","message":"Not Found","path":"/cgi-bin/<script>xss-test</script>.asp"}
I was able to reproduce this behavior on your sandbox instance. Btw. for GET requests the path is not returned.
Could you please provide a fix or a workaround for that behavior?
Kind regards,
Holger
The text was updated successfully, but these errors were encountered: