Uploaded image for project: '[Read Only] - Hippo Site Toolkit 2'
  1. [Read Only] - Hippo Site Toolkit 2
  2. HSTTWO-1514

XSS vulnerability in SearchResult class of site-toolkit-core

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • None
    • 2.05.04, 2.20.02, 2.21.00
    • None
    • None

    Description

      Version: site-toolkit-core-2.02.12-sources.jar

      There exists a XSS vulnerability in class: org.hippoecm.hst.core.template.module.query.SearchResult
      See method computePagesAndLinks():

      • Values are taken from the 'parameterMap' without escaping the values.
      • The unescaped value are put in the Page.link variabele which can be accessed directly on a webpage => introducing the possibility of a XSS hack.

      Could you verify if this problem still exists in a newer version of de site-toolkit-core?

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. ARCHE-42 Once HST 2.20.02 is released, include its XSSUrlFilter in the web.xml

          • Normal - Normal priority, tasks to be done before next intermediate release
          • Closed

          Task - A task that needs to be done. GOGREEN-431 Once HST 2.20.02 is released, include its XSSUrlFilter in the web.xml

          • Normal - Normal priority, tasks to be done before next intermediate release
          • Closed

          Activity

            People

              wko Woonsan Ko (Inactive)
              rroestenburg Robin Roestenburg (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: