-
Notifications
You must be signed in to change notification settings - Fork 289
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS Vulnerabilities in 2.8 #2116
Comments
Limraj
added a commit
that referenced
this issue
Aug 14, 2023
…dit.jsp, dataPointDetails.jsp, users.jsp, editMeta.jsp, eventTextRenderer.jsp, pointName.jsp, pointProperties.jsp, textRenderer.jsp; added function: removeScriptTag in common.js; added method: DataPointEditDwr.removeScriptTag;
Limraj
added a commit
that referenced
this issue
Aug 17, 2023
…on.js; corrected: attractor point list - editVirtual.jsp, eventTextRenderer.jsp, textRenderer.jsp, dataSourceEdit.jsp, watchList.jsp
Limraj
added a commit
that referenced
this issue
Aug 17, 2023
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
This issue reports about XSS vulnerabilities found on Scada-LTS 2.8 with security patch applied in #2103
List of bugs
Data sources
, Name of DataSource is not escapedData sources
, Point name of DataSource is not escapedData source edit
, Name of Point is not escapedData point details
, Point name and Name of DataSource is not escapedData point properties
, Data Point name, Data Source name, Text renderer properties, Event text renderer properties, Event detectors is not escapedWatchLists
, Data Point name is not escapedGraphical Views
, Component Chart Comparator and Link is not escapedData test
Scada-LTS_xss.zip
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: