usd-2021-0032 | SUSE CVE Database (suse.com)
Advisory ID: usd-2021-0032
Affected Product: SUSE CVE database
Vulnerability Type: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk: High
Vendor URL: https://www.suse.com/security/cve/
Vendor Status: Fixed
Suse's CVE database embedded third-party contents without sufficient filtering and/or encoding. Multiple incidents have been identified where Suse embedded untrusted <script> tags, resulting in stored Cross-Site-Scripting (XSS).
Proof of Concept (PoC)
The following screenshots illustrate that the <script> tag is embedded without any encoding or filtering and interpreted as markup by the browser accordingly:
It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context. The majority of programming languages supports standard procedures for encoding meta characters.
2021-11-10: The vulnerability is identified by Christian Rellmann.
2021-11-10: The vulnerability is submitted via e-mail to firstname.lastname@example.org and email@example.com at 15:09 CET.
- 2021-11-10: Suse acknowledges vulnerability and informs us that a fix was deployed at 17:06 CET.
- 2021-11-30: Security advisory released by usd AG.
This security vulnerability was found by Christian Rellmann of usd AG.