[Interchange-announce] Admin XSS security vulnerabilities fixed (CVE-2020-12685)
Jon Jensen
jon at endpoint.com
Thu May 14 23:17:19 UTC 2020
The Interchange admin in versions 4.7.0 through 5.11.x (before 2020-05-15)
was vulnerable to cross-site scripting (XSS) injection attacks in the help
and quicklinks pages.
Attackers could use browser JavaScript to steal client-side credentials
such as a session cookie or delivered page data. The attack type is
reflected XSS, active for a single page request via tainted link, not
stored in the database or in page files or reusably in the session.
This was found and reported by Sean Fernandez. Thank you very much!
It has been assigned the identifier CVE-2020-12685.
To resolve the problem, apply the patch from this commit:
https://github.com/interchange/interchange/commit/243ab0eea0ae1d8d8f3e333128349f104b7e04bf
Or download the new versions of the 2 corrected files:
u1=https://raw.githubusercontent.com/interchange/interchange/243ab0eea0ae1d8d8f3e333128349f104b7e04bf
u2=$u1/dist/lib/UI/pages/admin
curl --remote-name-all $u2/help.html $u2/quicklinks.html
Then copy them into place in your global admin installation:
cp help.html quicklinks.html /path/to/interchange/lib/UI/pages/admin/
If you made catalog-local copies to customize those files, you will need
to apply the fixes there manually in /path/to/catalog/pages/admin/ also.
Restarting the Interchange daemon is not necessary.
The nightly build now includes the fixes, as will the upcoming 5.12.0
release.
This announcement is reposted from the website news area:
https://www.interchangecommerce.org/i/dev/news?mv_arg=00064
Jon
--
Jon Jensen
End Point Corporation
https://www.endpoint.com/
More information about the interchange-announce
mailing list