A reflected Cross Site Scripting (XSS) vulnerability exists in the LogViewer.

[cjke]

We've had our soon to be launched site externally security tested. The security auditors use the AS/NZS 31000:2009 standard for assessing risk. A few issues recorded were linked directly to the LogViewer component. I will include a new issue per issue recorded by security audit.

Consequence Moderate
In a reflected XSS attack, the attack is in the request itself (frequently the URL) and the vulnerability occurs when the server inserts the attack in the response verbatim or incorrectly escaped or sanitized.

The LogViewer takes input from the PATH_INFO in a user’s request and uses that to build a hyperlink on the page. This can be highjacked to introduce a Cross Site Scripting vulnerability. For example, the following https://example.com/admin/logs/app/apache/%3CA%20HREF=%22javascript:alert(1)%22%3Eetc will create a link “etc” on the page and if clicked will execute Javascript: In most cases the user’s web browser’s XSS mitigation should catch the attempt to execute Javascript – however – this cannot be relied upon and should be fixed.