In Apollo change requests, comments added by users could contain a javascript URI link that when rendered will result in an XSS that require user interaction.
Metrics
CVSS Version: 3.1 |
Base Score: 4.1 MEDIUM Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
CWE-ID: CWE-84 CWE Name: The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings. Source: Palantir
Common Attack Pattern Enumeration and Classification (CAPEC)
CAPEC-ID: CAPEC-63 CAPEC Description: An adversary embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect.