1. Fabrik 3.9 has been released. If you have updated Joomla to 3.9, this is a required update.
    Dismiss Notice

Vulnerability!- Cross Site Scripting (XSS)

Discussion in 'Community' started by mattsh, Feb 25, 2021.

Thread Status:
Not open for further replies.
  1. mattsh

    mattsh Member

    Level: Community
    Hi!

    My it-security department informed me that it's a problem with a Fabrik form. A Cross Site Scripting (XSS) vulnerability. And they sent me the link below.

    This link (made anonymous) is a form you reach from a list connected by dbjoin (course_date_id) via a related link. The dbjoin element is just shown in the form (auto-complete).
    https://XXXXXXXXX/fabrik/form/5?referring_table=4&XXXXX_course_registration___course_date_id_raw=876

    Cross Site Scripting (XSS)
    CVSSv3 Score: 6.1

    Is it a real vulnerability I need to act on? Do you need additional information? I'm far from a expert in this area....

    Regards
    Matt
    J 3.9.24
    F 3.9 (not the latest...)
     
  2. mattsh

    mattsh Member

    Level: Community
    Friendly bump
     
  3. juuser

    juuser Well-Known Member

    Level: Community
    Seems to be the issue described in here:
    https://github.com/Fabrik/fabrik/issues/2033

    Although I couldn't track down the fix for this, I don't seem to have this issue with Github update from a few weeks ago.

    You could update Fabrik at least to 3.9.2. or make a Github update and see if the issue is still there.

    About the severity, it's always subjective matter and depends on a lot of things. If it's not a public form, I would say that the probability of "something bad" happening regarding this is minor.
     
  4. mattsh

    mattsh Member

    Level: Community
  5. mattsh

    mattsh Member

    Level: Community
    Sorry, but a scanning still report the same Cross Site Scripting (XSS) on my freshly GitHub-updated site.

    Need help!

    Regards
    Matt
    J 3.9.26
    F 3.92 latest GitHub
     
  6. mattsh

    mattsh Member

    Level: Community
    The dbjoin element is shown in the form (auto-complete), is any difference if I change it to dropdown?

    Matt
     
  7. juuser

    juuser Well-Known Member

    Level: Community
    Try and see if this makes any difference.

     
  8. mattsh

    mattsh Member

    Level: Community
    A dropdown worked fine and the it-security department is pleased with that solution.

    Matt
     
    juuser likes this.
Thread Status:
Not open for further replies.

Share This Page