You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
st2stanley
published
GHSA-w277-gpp9-g249Dec 5, 2022
Package
st2
(stackstorm)
Affected versions
<3.8.0
Patched versions
3.8.0
st2web
(stackstorm)
<3.8.0
3.8.0
Description
Impact
Cross-site scripting (XSS) vulnerability in the Web UI of StackStorm versions prior to 3.8.0 allowed logged in users with write access to pack rules to inject arbitrary script or HTML that may be executed in Web UI for other logged in users.
Patches
Affected StackStorm versions: all prior v3.8.0.
The issue was fixed in StackStorm: v3.8.0.
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Learn more on MITRE.
Impact
Cross-site scripting (XSS) vulnerability in the Web UI of StackStorm versions prior to 3.8.0 allowed logged in users with write access to pack rules to inject arbitrary script or HTML that may be executed in Web UI for other logged in users.
Patches
Affected StackStorm versions: all prior
v3.8.0.The issue was fixed in StackStorm:
v3.8.0.References
Credits
This issue was discovered and reported to us by Mohamed Elgllad.