As I haven't received any advice, I'll open a Jira ticket directly. On Mon, Aug 16, 2021 at 6:33 PM Luc Hua <[email protected]> wrote:
> Good afternoon, > > I'm a security researcher utilizing the CodeQL code analysis tool from > GitHub to run queries against open-source projects to check security > vulnerabilities. > > When I checked CVE-2017-17837 "XSS injection leak in the windowId > handling" with the Apache DeltaSpike-JSF 1.8.0 module, I noticed a second > issue of the same category in the same program > <https://github.com/apache/deltaspike/blob/master/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java> > : > > Lines 98-99 > ( > https://github.com/apache/deltaspike/blob/4e2502358526b944fc5514c206d306e97ff271bb/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java#L98-L99) > have: > <code> > Cookie servletCookie = (Cookie) cookie; > writer.write(",'initialRedirectWindowId':'" + secureWindowId(servletCookie > .getValue()) + "'"); > </code> > > As cookie value can be manipulated by end users and attackers therefore > XSS attacks can be injected there, shall <code>writer.write</code> be > changed to <code>writer.writeText</code> similar to the change on line 81 > <code>writer.writeText(windowId, null);</code>? > > The webpage <https://deltaspike.apache.org/community.html> says I'd > better ask on the mailing list before submitting a Jira request. Please > investigate this issue and advise on whether this is a valid security > vulnerability and a Jira request shall be submitted or not. > > Thanks, > luchua >
