CVSS Summary
| Score | 6.5 Medium |
|---|---|
| Vector | Network |
| Complexity | Low |
| Authentication | Single |
| Confidentiality | Partial |
| Integrity | Partial |
| Availability | Partial |
Advisory:
Stored XSS in Plotly allows less privileged users to insert arbitrary JavaScript into posts
Vulnerability
Last revised:
This plugin allows users who do not have the unfiltered_html capability to insert JavaScript into posts/pages which gets executed by the browsers of other users.
On single sites, only Administrators have the unfiltered_html capability, and on multisite, only Super Admins have this capability. This means that e.g. malicious Admins on a multisite, or malicious Editors would be able to perform XSS attacks against other site users and visitors.
Current state: Fixed
Proof of concept
- Create a new post as a user (without the unfiltered_html capability)
- Switch to text mode
- Place this link on a line by itself: https://plot.ly/~a/’onerror=’alert(1)’>
- View the post
Advisory timeline
- 2015-06-04: Discovered
- 2015-07-09: Reported to vendor via the contact form on the Plotly Enterprise site
- 2015-07-09: Requested CVE
- 2015-07-10: Vendor responded and confirmed fixed in 1.0.3
- 2015-07-13: Published
Mitigation/further actions
Upgrade to version 1.0.3 or later.
N.B. If all accounts are trusted, or all accounts have the unfiltered_html capability, then there is no issue.