(Click to enlarge)

This is a spacer post for a website comment topic. The content this topic relates to: #4633 - Reflected Cross Site Scripting (XSS)

This is confirmed.

Thank You,
Waiting for the resolution.

Simpler test case:
http://example-site/data/ajax_tree.php?hook=choose_gallery&id=&options=a:5:{s:21:"must_accept_something";b:1;s:6:"purity";b:0;s:14:"addable_filter";b:1;s:6:"filter";N;s:9:"member_id";N;}&default=<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert("Hello")</something:script>

The JavaScript is executing within the XML mime type via XML namespaces. Resolution is simple but we need to be careful to assume that XSS is not able to happen within other XML outputs.

I don't think any of the developers were aware that JavaScript could be embedded in XML responses like this. Knowing this now, I have gone over all the XML responses and checked either XML or HTML escaping is used (preferably XML, but HTML will work in practice and is secure). Additionally as a secondary layer of defense, CSP headers will be put out to disable JavaScript for these requests - and I have tested that works.

Thank You. Waiting for the fix.

Automated response: XSS in an XML script

One particular AJAX script that produces XML may be manipulated to output executable arbitrary JavaScript code. An XSS vulnerability is one whereby a hacker crafts a vulnerable URL that they then trick a target user (such as the webmaster) to access, causing the code to run on their machine and potentially expose things such as login cookies.

We're going to request a CVE for that. Let us know when you guys are prepare.
Thank You.

A new patch version is out, and the issues are announced and mitigated. That means this (and the other security issue) are completed from our end, unless something else comes up. Let me know if you need something specific from us.

A Certificate Of Appreciation Will Be A Great motivation.
Author: Orion Hridoy
Company: BugsBD Private LTD.