Author
HCSV #003, titled "Cross-Site Scripting (XSS)", was a critical issue involving a lack of server-side input sanitization, leading to potential Cross-Site Scripting (XSS) vulnerabilities. This affected all Hydraulisc-powered platforms that utilized user-generated content.
This was a MAJOR Security Vulnerability, which has been patched.
The missing backend HTML cleansing function allowed malicious actors to inject scripts via user input fields, leading to potential XSS attacks. Although frontend sanitization was in place, backend validation was not enforced, leaving a gap in the security measures in place.
This issue persisted until the vulnerability was identified and promptly addressed through proper input validation and sanitization mechanisms on the backend.
Attackers could potentially use this vulnerability to inject harmful JavaScript code into web pages viewed by other users, leading to unauthorized actions within the application.
The issue affected any Hydraulisc platform that relied on unvalidated user inputs, making it critical to implement the fix across all relevant platforms.
Please note, the team at Hydraulisc-Centric Security Vulnerability have agreed that this Security Vulnerability is no longer reproducible.
The backend now checks all user inputs to remove any special characters which could possibly lead to the injection of malicious scripts, and replace them with their HTML Character Entity counterparts so that no malicious scripts can be injected.
This security measure ensures that inputs bypassing the frontend still undergo proper sanitization.
Guide: Severity Numbers. Lower is better. Maximum value of 20, lowest of 1.
| HCSV Code | HCSV #003 |
| Severity | 17 |
| Date uncovered | Jan. 1, 2024 |
| Date patched | Jan. 20, 2024 |
| Paper release | Oct. 13, 2024 |
SleepingAmi