Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

  • XSS issue with IDACall

    My application has been flagged for a XSS violation. The step to repro is to just to paste the below URL into a browser and an alert with "XSS" will be shown. You can see the injection highlighted in red. How can I guard against this?

    https://serverurl/portal/sc/IDACall?isc_rpc=1&isc_v=9.1p_2014-07-13&isc_xhr=1&isc_tnum=13&_transaction=<transaction xmlns%3axsi%3d"http%3a%2f%2fwww.w3.org%2f2000%2f10%2fXMLSchema-instance" xsi%3atype%3d"xsd%3aObject"><transactionNum xsi%3atype%3d"xsd%3along">13<%2ftransactionNum><operations xsi%3atype%3d"xsd%3aList"><elem xsi%3atype%3d"xsd%3aObject"><criteria xsi%3atype%3d"xsd%3aObject"><%2fcriteria><operationConfig xsi%3atype%3d"xsd%3aObject"><dataSource>sitesModule<%2fdataSource><operationType>fetch<%2foperationType><textMatchStyle>startsWith<%2ftextMatchStyle><%2foperationConfig><startRow xsi%3atype%3d"xsd%3along">0<%2fstartRow><endRow xsi%3atype%3d"xsd%3along">75b9dp7%26lt%3bimg src%3da onerror%3dalert('XSS')>zei05<%2fendRow><componentId>isc_PickListMenu_0<%2fcomponentId><appID>builtinApplication<%2fappID><operation>sitesModule_fetch<%2foperation><oldValues xsi%3atype%3d"xsd%3aObject"><%2foldValues><%2felem><%2foperations><%2ftransaction>&protocolVersion=1.0

  • #2
    It looks like you are using a version that is well past end of life and you do not have the latest patched installed. We have already checked and there does not appear to be a similar issue with any current, patched version.

    Comment

    Working...
    X