This flaw allows an attacker to inject malicious code into the application or execute arbitrary commands when a user browses a maliciously-crafted website. A work around is to filter the normalizePath function through an application whitelist.
Hertz v0.4.0 ws discovered to have a XSS injection vulnerability via the process.env.X variable.
There is a way to bypass the filtering of process.env.X and inject code into the application. A possible attack scenario would be injecting code that redirects to another domain or download a malicious file.
Hertz v0.5.0 ws discovered to have XSS injection vulnerability via the process.env.X variable.
Further, there is no mitigations for this XSS injection vulnerability.
Hertz v0.6.0 ws discovered to have a XSS injection vulnerability via the process.env.X variable.
Further, there is no mitigations for this XSS injection vulnerability.
Hertz v0.7.0 was discovered to have a XSS injection vulnerability via the process.env.X variable.
Further, there is no mitigations for this XSS injection vulnerability.
Hertz v0.8.0 was discovered to have a XSS injection vulnerability via the process.env.X variable.
Further, there is no mitigations for this XSS
How do I find out if my website is vulnerable?
To manually determine if your website is vulnerable, visit the following URL:
https://www.hertz.com/security-center/index.html
If you see the message "The website is not vulnerable to this type of attack," then your website is not vulnerable to XSS injection vulnerabilities.
Timeline
Published on: 09/28/2022 14:15:00 UTC
Last modified on: 09/29/2022 18:49:00 UTC