When the user connects to a malicious site, a malicious script can be loaded in the client that could exploit this vulnerability.
ETAP Lighting International NV ETAP Safety Manager 1.0.0.32 does not disable the 'javascript:' protocol. This means that any site using the 'javascript:' protocol can be loaded in a client without being blocked.
ETAP Lighting International NV ETAP Safety Manager 1.0.0.32 does not validate the 'X-Requested-With' header. This means that if you are using 'X-Requested-With' to protect against XSS in your site, it won't work.
ETAP Lighting International NV ETAP Safety Manager 1.0.0.32 does not properly validate the 'user-agent' header. This means that if you are using 'user-agent' to protect against XSS in your site, it won't work.
ETAP Lighting International NV ETAP Safety Manager 1.0.0.32 does not properly validate the 'referer' header. This means that if you are using 'referer' to protect against XSS in your site, it won't work.
ETAP Lighting International NV ETAP Safety Manager 1.0.0.32 does not properly validate the 'accept-language' header. This means that if you are using 'accept-language' to protect against XSS in your site, it won't work.
How do you protect against Cross-site Scripting?
To protect against XSS, it's important to make sure your site is protected by the following methods:
- Make sure you're using a Content Security Policy header. This header lets browsers know what types of content they can and cannot load on your site.
- Make sure you're using an X-Requested-With header that includes necessary headers, like "XMLHttpRequest".
- Make sure you're validating user agent strings, including the 'user-agent' header.
Timeline
Published on: 09/28/2022 14:15:00 UTC
Last modified on: 09/30/2022 18:20:00 UTC