Vulnerability!- Cross Site Scripting (XSS)

Status
Not open for further replies.
M

mattsh

Member
Hi!

My it-security department informed me that it's a problem with a Fabrik form. A Cross Site Scripting (XSS) vulnerability. And they sent me the link below.

This link (made anonymous) is a form you reach from a list connected by dbjoin (course_date_id) via a related link. The dbjoin element is just shown in the form (auto-complete).
https://XXXXXXXXX/fabrik/form/5?referring_table=4&XXXXX_course_registration___course_date_id_raw=876

Cross Site Scripting (XSS)
CVSSv3 Score: 6.1

Is it a real vulnerability I need to act on? Do you need additional information? I'm far from a expert in this area....

Regards
Matt
J 3.9.24
F 3.9 (not the latest...)
 
Seems to be the issue described in here:
https://github.com/Fabrik/fabrik/issues/2033

Although I couldn't track down the fix for this, I don't seem to have this issue with Github update from a few weeks ago.

You could update Fabrik at least to 3.9.2. or make a Github update and see if the issue is still there.

About the severity, it's always subjective matter and depends on a lot of things. If it's not a public form, I would say that the probability of "something bad" happening regarding this is minor.
 
The dbjoin element is shown in the form (auto-complete), is any difference if I change it to dropdown?

Matt
 
Status
Not open for further replies.

Useful links

  • Create a Fabrik Account (Downloads)
  • Create a Forum Account
  • Fabrik Wiki
  • Fabrik 4 Changelog /Install /Upgrade
    • We are in need of some funding.
    More details.

    Thank you.

    Members online

    Total: 108 (members: 2, guests: 106)
    Back
    Top