Community
Participate
Working Groups
IF you don't understand what I am talking about, just forward my email to the CEO/CTO/ Security Team. Hi Team, I'm Saransh Saraf, a Security Researcher and bug hunter https://www.linkedin.com/in/saransh-saraf-2b514b20b/ I've found a bug in your website here is the detailed report : Vulnerable Domain : trss.adoptium.net Vulnerability Name : Reflected Cross site scripting Vulnerable URL : https://trss.adoptium.net/api-docs/?configUrl=https://jumpy-floor.surge.sh/test.json Impact: The Attacker will steal cookies of use to login as him, he'll do phishing on behalf of the domain and also he'll spread malware and virus. If you think my efforts are worth something please reward me with a bounty :) I'm looking forward to hearing from you. Regards Saransh Saraf
cc'ing Adoptium committers.
Can we add lan.xia@ca.ibm.com to have visibility of this issue? She will be addressing this (either by updating the module, or removing the swagger UI as a resolution).
(In reply to Shelley Lambert from comment #2) > Can we add lan.xia@ca.ibm.com to have visibility of this issue? She will be > addressing this (either by updating the module, or removing the swagger UI > as a resolution). lan.xia@ca.ibm.com is not associated with any Eclipse account, so I cannot cc her. She will need to create an eclipse account first https://accounts.eclipse.org/user/register?destination=user
https://projects.eclipse.org/content/lan-xia-committer-eclipse-aqavit Not sure what email is associated with that Eclipse account, but if you can, please add her.
lan_xia@ca.ibm.com ;)
I disabled the Swagger ui.
Hi, thanks fixing this vulnerability,am I now eligible for some Bounty or appreciation letter
Thanks Lan. Saraf, Thanks for your report. I'm afraid we don't offer Bounty nor appreciation letter.