Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF/XSS vulnerability through separator injection #1781

Closed
vaadin-bot opened this issue Sep 27, 2011 · 1 comment
Closed

CSRF/XSS vulnerability through separator injection #1781

vaadin-bot opened this issue Sep 27, 2011 · 1 comment
Labels

Comments

@vaadin-bot
Copy link
Collaborator

Originally by @hesara


The communication protocol in Vaadin permits injection of message separators, making it possible to alter the state of other visible components (CSRF - cross site request forgery).

This can also enable XSS attacks by modifying the state of certain components.

An attack vector exploiting this would be convincing the user to paste text containing attacker written code (including special characters) to certain components in the application.

It is also possible to perform such injection through URI fragments in applications that use UriFragmentUtility.

This vulnerability was discovered by Wouter Coekaerts (http://wouter.coekaerts.be).


Imported from https://dev.vaadin.com/ issue #7669

@vaadin-bot
Copy link
Collaborator Author

Originally by @hesara


Fixed in [21325], reviewed by Leif and Wouter Coekaerts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant