Skip to main content

TB069 XSS Vulnerability on the Masking Rule Set and Inventory Pages




Alert Type



FIPS 199 Severity Level: Critical

CVSS Score: 9.0 based on:

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): L

User Interaction (UI): R

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): H

An attacker could inject active code onto the Masking Engine GUI’s Rule Set and Inventory pages. When a user views these pages, the attacker’s code will execute with the permissions of the user viewing the page and therefore can perform any actions allowed by the user’s role (e.g., create a new Masking user, edit a Masking connector, et cetera).

Contributing Factors

The issue may occur when using any version of the Delphix Masking Engine, including:

Major Release All Sub Releases


This attack may be detected by viewing the table/file/data set name and column/field names using Masking API endpoints: GET /table-metadata, GET /column-metadata, GET /file-metadata, GET /file-field-metadata, GET /mainframe-dataset-metadata, and GET /mainframe-dataset-field-metadata. Any names containing code (e.g., HTML <script> tags, JavaScript code, etc.) indicate an attack. 


Suppose API response contains a script tag such as, '<script>deleteUser()</script>' then, when accessed through the GUI, this script will execute with the permissions of the user logged in. In this example, engine users would be deleted.


  • At the network layer, IP address allowlisting may be used to limit Delphix appliance access to only approved users.  

  • Customers should upgrade to or later


This issue is resolved in the and releases.