Impact
Missing XSS Protection Header puts the Argo CD UI at risk of a cross-site scripting attack (XSS). This should only impact users who are using legacy browsers, such as Internet Explorer.
Fixes
Argo CD from version 1.7.12 and 1.8.4 are now properly setting the X-XSS-Protection header to support better protection in legacy browsers.
Workarounds
N/A
References
For more information
If you have any questions or comments about this advisory:
Credits
This vulnerability was found & reported by SAP SE, T&I area, BTP Foundational Plane, K8S Delivery Team – Dimitar Kiryakov, Anatoli Krastev.
The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue
Impact
Missing XSS Protection Header puts the Argo CD UI at risk of a cross-site scripting attack (XSS). This should only impact users who are using legacy browsers, such as Internet Explorer.
Fixes
Argo CD from version
1.7.12and1.8.4are now properly setting theX-XSS-Protectionheader to support better protection in legacy browsers.Workarounds
N/A
References
For more information
If you have any questions or comments about this advisory:
#argo-cdCredits
This vulnerability was found & reported by SAP SE, T&I area, BTP Foundational Plane, K8S Delivery Team – Dimitar Kiryakov, Anatoli Krastev.
The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue