ajaxproxy - potential Cross Site Scripting issue

Description

Subject: Security Finding – Cross Site Scripting
Ticket Type: Security

During the recent security test of the website, a cross site scripting issue was identified:

The consultant was able to inject JavaScript into a parameter within a request to ‘/admin/ajaxProxy/’. The location was the ‘action’ parameter, which does not properly validate input.

Although this was only exploitable with the Cloudflare WAF disabled, this should be remedied in the product.

Environment

None

Assignee

Unassigned

Reporter

Steve Dowle

Labels

None

Accepted

None

Fix versions

Priority

Medium
Configure