Title: Reflected Cross-Site Scripting (XSS) Vulnerability in dbFront
Type: Vulnerability Type: XSS (Cross Site Scripting) / CWE-80
Description:
A Reflected Cross-Site Scripting (XSS) vulnerability was identified in dbFront, where user-controlled input was not properly escaped when used in certain error messages. This allows the injection of arbitrary JavaScript code into those specific messages.
More details will be provided after affected clients have had time to upgrade.
Impact:
An attacker could exploit this vulnerability to trick a user into executing arbitrary JavaScript in the context of the affected application, potentially leading to session hijacking, phishing attacks, or other client-side impacts.
This is a reflected, not a stored vulnerability, only available to authenticated users.
Affected Versions: dbFront versions before 1.4.1.1263.
Fixed Versions:
This issue has been addressed in:
- version 1.4.1.1331 through corrected encoding.
- all versions of 1.4.2 through corrected encoding and enhanced security controls.
Mitigation: Users are advised to upgrade to the current version of either dbFront 1.4.1 or 1.4.2.
Credits: This issue was discovered and reported by Carlos de la Fuente (Novita) as part of our bug bounty.
