TB104 Executable Javascript Can Be Entered into Self-Service Freeform Text Boxes

Alert Type

Security

Impact

Severity (NVD): High

Delphix CVSS v3.1 Score: 8.7

Delphix CVSS v3.1 Vector: AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): L

User Interaction (UI): R

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): N

 

Several user input fields in the Self Service feature of Continuous Data are vulnerable to cross-site scripting (XSS) in versions prior to 11.0.0.0.  The issue has been addressed with the 11.0.0.0 release. This issue only applies to the Self Service feature. The vulnerability is only applicable if there are one or more Delphix users enabled for Self Service.

The Self Service feature of Continuous Compliance is designed to allow for low and scoped privilege users to execute predefined workflows without the need for intervention by a more privileged Delphix user. Use of Self Service requires both authentication and authorization privilege to be assigned by a Delphix Admin.

Affected Products and Versions

This article applies to the following products and versions, with the following clarifications:

• “supported releases” includes releases in Extended Support. 

• releases that are out of support are not checked for vulnerability applicability.

Mitigation

There are options for temporary mitigation until such time as Continuous Data is upgraded as indicated in the Resolution section.

Strong Option:

• Temporarily disable access to Self Service by removing permissions from users that are enabled for Self Service.

Moderate Option:

• Restrict access to Self Service to a list of trusted users.

Resolution

The issue is resolved in DevOps Data Platform 11.0.0.0 and later releases for Continuous Data Engines.