Impact
Two fields on the view findings page (File Path and SAST Source File Path) do not sanitize user input properly and make stored XSS injections possible.
Patches
The problem has been fixed with release 2.4.0. The content of both fields is escaped properly when rendering the view findings page.
Workarounds
If you cannot upgrade to release 2.4.0, you should:
- Minimize the amount of users who can edit findings.
- Make sure imports of findings can only be done from trusted data sources.
For more information
If you have any questions or comments about this advisory:
Credit
This issue was discovered and reported by Laddada Nadjet - Security Team - Eldjazaer Information Technology- Elit on HackerOne. We greatly appreciate their contribution, report, and assistance.
Impact
Two fields on the view findings page (File Path and SAST Source File Path) do not sanitize user input properly and make stored XSS injections possible.
Patches
The problem has been fixed with release 2.4.0. The content of both fields is escaped properly when rendering the view findings page.
Workarounds
If you cannot upgrade to release 2.4.0, you should:
For more information
If you have any questions or comments about this advisory:
Credit
This issue was discovered and reported by Laddada Nadjet - Security Team - Eldjazaer Information Technology- Elit on HackerOne. We greatly appreciate their contribution, report, and assistance.