Cross Site Scripting (XSS) - /api/1/me

[gpsilv4]

The data.gouv.fr application is vulnerable to a persistent Cross Site Scripting (XSS) attack on /api/1/me. The data is inserted into the application through the first_name, last_name and website parameters in /api/1/me. In this case, XSS is triggered when a victim visits any page that contains information relating to the user with infected fields, such as the respective user profile and created data sets or reuses created by the user.

Persistent XSS vulnerabilities are the most concerning among the 3 types of XSS. They appear when data submitted in an HTTP request is stored (usually in a database) without validation. An attacker can use this vulnerability to build a message based on Javascript code that will be stored in the database and later loaded by the application and sent to all users who open the page. When viewed by anyone, the malicious Javascript code is loaded and executed in your browser in the context of the currently open session. The code generated by the attacker can carry out a wide variety of actions, such as stealing the session cookie allowing him to escalate privileges in the application, or even carrying out keylogging.

[maudetes]

I think this ticket is similar to #3035? Let's move discussion there.