Headline
CVE-2023-4432: Fix possible Cross-site Scripting (XSS) in Rest/GraphQL viewer · Cockpit-HQ/Cockpit@2a93d39
Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
Expand Up
@@ -5,7 +5,7 @@
</head>
<body>
<rapi-doc
spec-url="<?=$openApiUrl?>"
spec-url="<?=$this->escape($openApiUrl)?>"
show-header="false"
show-info="false"
render-style="read"
Expand All
@@ -14,12 +14,12 @@
<?php if($apiKey): ?>
api-key-name = “api-key”
api-key-location = “header”
api-key-value = “<?=$apiKey?>”
api-key-value = “<?=$this->escape($apiKey)?>”
<?php endif ?>
bg-color="<?=($bgColor ? $bgColor : ‘#10131a’)?>"
text-color="<?=($textColor ? $textColor : ‘#fafafa’)?>"
primary-color="<?=($primaryColor ? $primaryColor : ‘#0e8fff’)?>"
bg-color="<?=$this->escape($bgColor ? $bgColor : ‘#10131a’)?>"
text-color="<?= $this->escape($textColor ? $textColor : ‘#fafafa’)?>"
primary-color="<?= $this->escape($primaryColor ? $primaryColor : ‘#0e8fff’)?>"
></rapi-doc>
<script type="module" src="<?=$this->base(‘system:assets/vendor/rapidoc.js’)?>"></script>
Expand Down
Related news
Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit version 2.6.3 and prior. A patch is available at commit 2a93d391fbd2dd9e730f65d43b29beb65903d195 and anticipated to be part of version 2.6.4.