Gallup Addresses XSS Bugs in Website

  /     /     /  
Publicated : 23/11/2024   Category : security


Gallup Addresses XSS Bugs in Website


Researchers flagged a pair of Gallup site XSS vulnerabilities.



UPDATE
Editors Note: Dark Reading has become aware that a portion of the original Checkmarx research on these vulnerabilities is in dispute, prompting us to retract sections of our reporting below.
As election season started to simmer over the summer, the Gallup polling company rushed to patch against a pair of cross-site scripting (XSS) vulnerabilities in the companys website that left it vulnerable to misuse by malicious actors.
Cybersecurity researchers with Checkmarx explained in a
report
on Sept. 9 that they first contacted the incident response team at Gallup on June 23 to report
the XSS flaws
— the first a reflected XSS bug with a CVSS score of 6.5 out of 10, and the second a document object model (DOM)-based XSS vulnerability with a CVSS score of 5.4.
The flaws do not impact any of Gallup’s internal data or polling.
In the case of the first reflected XSS flaw, the researchers found that the /kiosk.gx endpoint does not properly sanitize or encode the query string ALIAS parameter value before including it on the page.
In the second flaw, the endpoint once again failed to protect query parameter values before adding them to the page.
To avoid similar XSS flaws, the researchers at Checkmarx suggest that cybersecurity teams ensure their data is properly encoded before sending it to the response markup (HTML) or page DOM. Further, they recommend tweaking the content security policy to block locations where the browser can fetch or execute scripts.
This post was updated at 11:30AM ET on Sept. 11, 2024, to reflect that the bugs affected the website, not the Gallup Poll itself.
Another update was made at 4:53PM ET on Sept. 11, 2024 to clarify that neither vulnerability could have allowed attacker access to Gallup.com infrastructure and did not put internal data at risk of compromise.
A third update was made at 1:03PM ET on Sept. 12, 2024, to remove sections of the article that were based on now-disputed portions of the original Checkmarx blog.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Gallup Addresses XSS Bugs in Website