iDempiere Security Notification / IDEMPIERE-3980

[Carlos Antonio Ruiz Gómez]

IDEMPIERE-3980 - Cross Site Scripting XSS

Project: iDempiere
Severity: Critical
Versions: All known versions of Adempiere / iDempiere
Exploit type: Cross-site Scripting (XSS)
Reported Date: 2021-June-4
Reported By: ranjit-git
Reported first at: huntr.dev platform - thanks to Jamie Slome for contacting us and letting us know
_____________________________________

First of all, thanks to Jamie Slome for reporting this vulnerability, and to ranjit-git for discovering it (kudos to him - I don't have his email).

Description

A vulnerability has been found on Image Upload dialog.

It is a new vulnerable point of the same vulnerability found 2 years ago.

Affected Installs

All iDempiere versions
All Adempiere versions

Mitigation

Update your version to release 8.2 - 2021-06-09

or

apply in your code the patch from commit fa0b52abd

Steps to reproduce

Image:

Based on the report by ranjit-git:

1 - Open the Business Partner window (or any window that allows to upload images)

2 - Click on the Logo field and upload the attached file evilsvgfile.svg

3 - Right click over the image displayed and click on Open Image in New Tab

4 - The system will show a message Thais app is probably vulnerable to XSS attacks!

5 - This is just an alert, but it can potentially execute arbitrary javascript

NOTE: In Adempiere the issue is visible in other windows, not Business Partner

This notification is following the Phased Disclosure approach described in the Vulnerability Management process for iDempiere.

Please note the objective of a phased disclosure is to provide you and your customers the opportunity to upgrade within a reasonable maintenance window to minimize rushed action and operational anxiety.

This notification is sent to the forum as Level Two in order to allow you implement the workarounds.