SB2018101507 - Cross-site scripting in Branch.io
Published: October 15, 2018 Updated: February 20, 2019
Security Bulletin ID
SB2018101507
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) DOM-based cross-site scripting (CVE-ID: N/A)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists within branch.io toolkit due to insufficient sanitization of user-supplied data. The vulnerability allows a user with permissions to edit which attribute is used in the breadcrumbs bar to store code that will be executed on the client side.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.