Skip to content

Security Fix for Cross-site Scripting (XSS) - huntr.dev#315

Merged
scmmishra merged 2 commits into
frappe:masterfrom
418sec:1-npm-frappe-charts
Dec 14, 2020
Merged

Security Fix for Cross-site Scripting (XSS) - huntr.dev#315
scmmishra merged 2 commits into
frappe:masterfrom
418sec:1-npm-frappe-charts

Conversation

@huntr-helper

Copy link
Copy Markdown

https://huntr.dev/users/arjunshibu has fixed the Cross-site Scripting (XSS) vulnerability 🔨. arjunshibu has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
GitHub Issue | #313
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/frappe-charts/1/README.md

User Comments:

📊 Metadata *

frappe-charts is vulnerable to Cross-Site Scripting (XSS).

Bounty URL: https://www.huntr.dev/bounties/1-npm-frappe-charts

⚙️ Description *

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

💻 Technical Description *

While rendering charts, the package is validating all object fields except name in datasets array, this allows malicious code execution. The fix is implemented by properly validating name field to escape malicious characters.

🐛 Proof of Concept (PoC) *

Steps To Reproduce

References

Github Issue

🔥 Proof of Fix (PoF) *

  • Before fix
    poc
  • After fix, Cross-Site Scripting is prevented.
    pof

+1 User Acceptance Testing (UAT)

  • I've executed unit tests.
  • After fix the functionality is unaffected.

arjunshibu and others added 2 commits November 11, 2020 11:36
Security fix for Cross-Site Scripting Vulnerability in frappe-charts
@JamieSlome

Copy link
Copy Markdown
Contributor

@pratu16x7 @scmmishra - let me know if you have any thoughts or questions, cheers! 🍰

@scmmishra

Copy link
Copy Markdown
Contributor

@JamieSlome @huntr-helper Can you please follow the PR template. I see a lot of irrelevant links to your site, while I appreciate the spirit of your contribution, I'd like the PR description to be on point only.

@scmmishra scmmishra merged commit d5706a5 into frappe:master Dec 14, 2020
@GrosSacASac

Copy link
Copy Markdown
Contributor

$25 Stonks

@JamieSlome

Copy link
Copy Markdown
Contributor

@scmmishra, if you want more security fixes and patches like this in the future, you can let security researchers know that they can win bounties protecting your repository by copying this small code snippet into your README.md:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

👇 👇 👇

huntr

@scmmishra scmmishra mentioned this pull request Apr 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants