Cross-Site Scripting(XSS) Vulnerability in Collection Name Field


Versions of TeleScope prior to 2020.1 were vulnerable to an XSS vulnerability whereby an actor while creating a collection, could supply crafted HTML as the collection name containing arbitrary javascript code on DOM events.


This would then get injected into the HTML for viewers of the collection executing the javascript as the DOM events would fire in the unsuspecting user's browser which could be used to leak client's confidential information, like SessionID.




XSS attacks are prevented by validating all user inputs so that no executable code can be injected through user inputs. This issue was fixed in TeleScope Executive 2020.1. If you're on an affected version, it is recommended you upgrade to the mentioned or later version. If your TeleScope installation has customizations or you're an OnDemand customer, please contact your Account Manager or support for help with this.



After upgrading, any code entered through will get sanitized and will be rendered inexecutable by TeleScope, thus preventing the execution of any javascript code.



Please sign in to leave a comment.