Newsletter Subscription web part and XSS

Mark Elliott asked on April 21, 2020 23:09

We just had a security audit completed and it flagged the only two pages on our site that use the Newsletter Subscription webpart. It was flagged as being vulnerable to onmousover event. Has anyone experienced similar issue with this webpart?

Thanks

Mark

cross-site scripting

Recent Answers

Juraj Ondrus answered on April 22, 2020 08:45

Do you have any proof of concept, some steps how to reproduce the issue? If yes, please send the details to support@kentico.com.

Also, what version of Kentico are you using? If you are concerned about security, you should be using the latest available version and patch of any kind of software.

0 votesVote for this answer Mark as a Correct answer

Mark Elliott answered on April 22, 2020 17:05

Hi Juraj,

In this case all I have is the report from the security audit that Javascript was returned to the user for those two pages that implement that web part. We are on v11.0.21 I did check the later hotfixes and didn't see any issues pertaining to that web part.

0 votesVote for this answer Mark as a Correct answer

Juraj Ondrus answered on April 24, 2020 04:58

Well, without further details it is hard to tell. Anyway, if you mean the XSS is in the web part itself - when editing it, then yes. However, a user who has access to Design tab and can add web parts, has much easier ways how to damage or hack the web site. If we are talking about live site - where everyone has access, then we are not aware of any security issues here.

0 votesVote for this answer Mark as a Correct answer

Mark Elliott answered on April 24, 2020 16:38

Hi Juraj,

It is the live site in the report. Unfortunately, the report doesn't have a whole lot of details. The only thing on the report indicates that on those two pages the test added an onmouseover event and was able to get the javascript reflected back. I've asked for more details to be provided.

0 votesVote for this answer Mark as a Correct answer