Skip to main content

TB086 XSS Vulnerability with Masking Environment Overview Page




Alert Type



FIPS 199 Severity Level: Critical

CVSS Score: 9.0

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): L

User Interaction (UI): R

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): H

An attacker could inject active code onto the Masking Engine GUI’s Environment Overview page. When a user views these pages, the attacker’s code will execute with the permissions of the user viewing the page and therefore can perform any actions allowed by the user’s role (e.g., create a new Masking user, edit a Masking connector, et cetera).

Contributing Factors

Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases





This attack may be detected by viewing the connector details (schema name and database name) using Masking API endpoints: GET /database-connectors. Any names containing code (e.g., HTML <script> tags, JavaScript code, etc.) indicate an attack. 


Suppose the API response contains a script tag such as <script>deleteUser()</script>, when accessed through the GUI, this script will execute with the permissions of the user logged in. In this example, engine users would be deleted.


  • At the network layer, IP address allow listing may be used to limit Delphix appliance access to only approved users.  

  • It is strongly recommended that customers upgrade to or later


This issue is fully resolved in the release.

Additional Information


Related Documents