-
-
Notifications
You must be signed in to change notification settings - Fork 11k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerability #6351
Comments
at a glance without going into the code i believe this is inside of the tests, I think it may be a false positive, please send drop the CVE link |
Thank you for your response. I don't have CVE link but have some data from fortify scan. The file path in the repo is \axios\dist\axios.js In this case, the data is sent at setAttribute() in axios.js file. The malicious content sent to the web browser often takes the form of a JavaScript segment, but can also include HTML, Flash or any other type of code that the browser executes. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data such as cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site.
|
Hello @jasonsaayman , I think I have encountered a similar issue. I used Checkmarx for vulnerability scanning, and the Axios version is 1.7.7. The documentation explains that in the axios.js, the source is line 793, and the destination is line 782.
However, since this is the result after the Vue build, I suspect it should be the following function. from line 2656:
If there is confirmed cybersecurity risk, I hope you can assist in handling it. The following is what I found in CHATGPT. It suggested the following solutions: The issue you encountered is due to unfiltered or unencoded external input being directly embedded into HTML attributes in the axios-DsPaXkF5.js file, which can lead to potential cross-site scripting (XSS) attacks. This is a security vulnerability that should be properly addressed. Here are a few solutions:
Summary |
thanks for the additional information. I will try to get a appropriate fix for this |
Describe the issue
As part of our company's security policy, we run all our application through fortify scan. Fortify scan raised a flag in axios.js file where setAttribute('href' href) has been used. It is suggesting to validate data which passes through this setAttribute('href' href). Could you please suggest something. Thank you.
Example Code
No response
Expected behavior
No response
Axios Version
No response
Adapter Version
No response
Browser
No response
Browser Version
No response
Node.js Version
No response
OS
No response
Additional Library Versions
No response
Additional context/Screenshots
No response
The text was updated successfully, but these errors were encountered: