[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
We've decided to drop this issue while testing for the vulnerability and was unable to recreate the issue. The product team is also not willing to update the package on the basis that there is no way to exploit the vulnerability within Horizon. If we do find an exploit we would be happy to repopen the issue. ** Changed in: python-xstatic-bootstrap-scss (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940450 Title: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
Hello, I've made several attempts at exploiting the XSS in horizon without the updated version. I will attach a video for one of those attempts. To me this seems like horizon it's using the scanned code at all, unless I've missed something so this could be a false positive in my opinion. Thank You, Heather Lemon ** Attachment added: "xsshorizon-2021-09-10_11.30.01" https://bugs.launchpad.net/horizon/+bug/1940450/+attachment/5524434/+files/xsshorizon-2021-09-10_11.30.01 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940450 Title: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
Oh please use VLC to see video ;) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940450 Title: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
Hello, I've made several attempts at exploiting the XSS in horizon without the updated version. I will attach a video for one of those attempts. To me this seems like horizon it's using the scanned code at all, unless I've missed something so this could be a false positive in my opinion. Thank You, Heather Lemon -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940450 Title: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
I take back my earlier comment, backporting the commit from upstream https://github.com/twbs/bootstrap/pull/28236/commits/5efa9b531d25927b907e3fa24b818608bc38a2f0 to both bionic and then xenial(if supported) with debian/changelog etc added is the correct way. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940450 Title: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
For the Ubuntu horizon package, we vendor in the xstatic files (see debian/README.source). So this could be as simple as refreshing the xstatic files. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940450 Title: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
** Tags added: cloud-archive -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940450 Title: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
Yes, it's sufficient to upgrade the requirements.txt because it does not require code changes, but package upgrades. The debian/changelog does not track the requirements.txt file changes but need to be done manually. I'll try adding a patch this week. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940450 Title: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
Attached screenshot showing difference between Bootstrap versions with missing sanitize functions ** Attachment added: "Screenshot from 2021-08-23 15-55-14.png" https://bugs.launchpad.net/horizon/+bug/1940450/+attachment/5522304/+files/Screenshot%20from%202021-08-23%2015-55-14.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940450 Title: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
The security team doesn't update cloud-archive packages, just Ubuntu archive packages. Is it really sufficient to modify just the requirements.txt file in the git tree? I'm accustomed to seeing debian/changelog changes, debian/patches/ changes, etc., but I've never done any of the git-based packaging before. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940450 Title: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
Upgrading the package to the fixed version shows the sanitize functions like "sanitizeHtml" in ~/horizon/xstatic/pkg/bootstrap_scss/data/js/bootstrap.js, however since this is a security fix, I'll have to let the security team handle it. test branch with package upgrades https://code.launchpad.net/~hypothetical-lemon/+git/horizon/+ref/lp1940450-cve-2019-8331 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940450 Title: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
** Tags added: horizon-core -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940450 Title: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
Your conclusions from #7 are all correct. It's up to the Ubuntu packagers to upgrade the relevant package to a version that is not affected. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940450 Title: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
I too am entirely out of my comfort zone with Javascript, so my level of certainty is low, based solely on the text of CVE-2019-8331 which says (all?) Bootstrap versions prior to 3.4.1 are affected. I also did not check the rdepends for python3-xstatic-bootstrap-scss in Ubuntu and perhaps incorrectly assumed it might be used by more packages or by unpackaged software on people's systems. I'll continue trying to get one of the Horizon developers to provide input on this report... I am but a humble vulnerability coordinator in this particular case, far from being a subject matter expert on the software. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940450 Title: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
I inspected some of the python3-xstatic-bootstrap-scss package: ./python-xstatic-bootstrap- scss_3.3.7.1-5/xstatic/pkg/bootstrap_scss/data/js/bootstrap/tooltip.js While the header sure looks related, I couldn't find *any* hints that the patch from https://github.com/twbs/bootstrap/pull/28236/commits/5efa9b531d25927b907e3fa24b818608bc38a2f0 is remotely related. If they are related, that file has changed pretty drastically in the meantime. Jeremy, can I ask, how confident you are that that package contains a version of the bootstrap tooltips that needs to be updated to address this flaw? (I only found one user of this package, python3-vitrage- dashboard -- with just one user, it might also justify a similar "is this even an issue?" sort of check.) Thanks ** Also affects: python-xstatic-bootstrap-scss (Ubuntu) Importance: Undecided Status: New ** Also affects: horizon (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940450 Title: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs