Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability #6351

Open
swetha8612 opened this issue Apr 12, 2024 · 2 comments
Open

Security vulnerability #6351

swetha8612 opened this issue Apr 12, 2024 · 2 comments

Comments

@swetha8612
Copy link

Describe the issue

As part of our company's security policy, we run all our application through fortify scan. Fortify scan raised a flag in axios.js file where setAttribute('href' href) has been used. It is suggesting to validate data which passes through this setAttribute('href' href). Could you please suggest something. Thank you.

Example Code

No response

Expected behavior

No response

Axios Version

No response

Adapter Version

No response

Browser

No response

Browser Version

No response

Node.js Version

No response

OS

No response

Additional Library Versions

No response

Additional context/Screenshots

No response
@jasonsaayman
Copy link
Member

at a glance without going into the code i believe this is inside of the tests, I think it may be a false positive, please send drop the CVE link

@swetha8612
Copy link
Author

Thank you for your response. I don't have CVE link but have some data from fortify scan. The file path in the repo is \axios\dist\axios.js

In this case, the data is sent at setAttribute() in axios.js file.

The malicious content sent to the web browser often takes the form of a JavaScript segment, but can also include HTML, Flash or any other type of code that the browser executes. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data such as cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site.
Cross-site scripting (XSS) vulnerabilities occur when:

  1. Data enters a web application through an untrusted source. In the case of DOM-based XSS, data is read from a URL parameter or other value within the browser and written back into the page with client-side code. In the case of reflected XSS, the untrusted source is typically a web request, while in the case of persisted (also known as stored) XSS it is typically a database or other back-end data store.

  2. The data is included in dynamic content that is sent to a web user without validation. In the case of DOM-based XSS, malicious content is executed as part of DOM (Document Object Model) creation, whenever the victim's browser parses the HTML page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jasonsaayman @swetha8612