Uploaded image for project: 'Hue (READ ONLY)'
  1. Hue (READ ONLY)
  2. HUE-9391

Possible Script Execution on Documents Page in Description Field

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.7.0
    • Fix Version/s: 4.8.0
    • Component/s: core.ui
    • Labels:
      None
    • Backward Incompatible:
      Backward Incompatible

      Description

      Problem Statement : There is an Risk of potential Script execution if the description field is given malcisous XSS script . (details below)

       

      Steps 1 : Log in and click HUE 

      Step 2. : Navigate to Document Tab -> click on New -> seect Hive Query

      Step 3 : type some random query -> Click on Save - > on the popup give 

      name : Some Random Name

      Description  : ><<<script>prompt() 

      Step 4 : save the Document 

      Step 5 : On the left  panel > navigate to Documents -> find the document just saved ->t> click on the icon the ℹ️  -> you will find the Script being executed.

       

      attached

       

       

       

        Attachments

          Activity

            People

            • Assignee:
              asnaik Akhil S Naik
              Reporter:
              asnaik Akhil S Naik
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: