Security Researcher @thank_you discovered multiple Cross-Site Scripting (XSS) vulnerabilities in Netflix's open source Dispatch application. We recommend users update to the latest version of Dispatch to patch the vulnerabilities.
This issue may allow an authenticated user to cause arbitrary javascript execution in the Dispatch application. Given Dispatch’s intended purpose, we expect that the typical Dispatch service is deployed internally, and configured to allow access from trusted users in an organization. If Dispatch is deployed in this way, the risk is lower, as the attacker would have to have access to a legitimate user account.
There were XSS vulnerabilities discovered and reported in the Dispatch application, affecting name and description parameters of Incident Priority, Incident Type, Tag Type, and Incident Filter. This vulnerability can be exploited by an authenticated user.
This vulnerability has been patched in the v20201106 release. Organizations or users of Dispatch should update to the most recent version to apply the patch. We have also published production deployment guidelines, to help with hardening Dispatch deployments. We recommend Dispatch operators to follow this guidance when deploying Dispatch in an organization.