rucio-webui 1.26.2

Direct Vulnerabilities

Known vulnerabilities in the rucio-webui package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the rendering of attacker-controlled input in Custom RSE Attribute. An attacker can execute arbitrary JavaScript in the context of the WebUI by injecting malicious payloads that are stored and later rendered to authenticated users. This may lead to session token theft, unauthorized actions, or exfiltration of sensitive data when a user views a compromised resource. How to fix Cross-site Scripting (XSS)? Upgrade `rucio-webui` to version 35.8.3, 38.5.4, 39.3.1 or higher.	[,35.8.3)[36.0.0rc1,38.5.4)[39.0.0rc1,39.3.1)
H Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the rendering of the `ExceptionMessage` in error responses, where user-controlled input is inserted into the DOM using unsafe methods. An attacker can execute arbitrary JavaScript in the context of the WebUI by enticing a user to visit a specially crafted URL or submit malicious input that triggers an error message containing attacker-supplied HTML or script. This can lead to theft of session tokens or impersonation of the victim user. How to fix Cross-site Scripting (XSS)? Upgrade `rucio-webui` to version 35.8.3, 38.5.4, 39.3.1 or higher.	[,35.8.3)[36.0.0rc1,38.5.4)[39.0.0rc1,39.3.1)
H Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the rendering of user-controlled input in the `identity name` field without proper output encoding. An attacker can execute arbitrary JavaScript in the context of the WebUI by storing malicious scripts in the `identity name` and tricking authenticated users into viewing affected pages. This can lead to session token theft, unauthorized actions, or exfiltration of sensitive data. How to fix Cross-site Scripting (XSS)? Upgrade `rucio-webui` to version 35.8.3, 38.5.4, 39.3.1 or higher.	[,35.8.3)[36.0.0rc1,38.5.4)[39.0.0rc1,39.3.1)
H Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the rendering of RSE metadata in the WebUI. An attacker can execute arbitrary JavaScript in the users' context by injecting malicious scripts into the `City`, `Country_Name`, or `ISP` fields, which are then stored and rendered without proper output encoding. This can lead to session token theft, unauthorized actions, or exfiltration of sensitive data when a user views the affected pages. How to fix Cross-site Scripting (XSS)? Upgrade `rucio-webui` to version 35.8.3, 38.5.4, 39.3.1 or higher.	[,35.8.3)[36.0.0rc1,38.5.4)[39.0.0rc1,39.3.1)
H Sensitive Cookie Without "HttpOnly" Flag Affected versions of this package are vulnerable to Sensitive Cookie Without "HttpOnly" Flag via the `comment` field in the custom rules process. An attacker can execute arbitrary JavaScript in the context of the WebUI by submitting crafted input that is stored by the backend and rendered without proper output encoding when viewed by other users or administrators. This can lead to session token theft, unauthorized actions, or data exfiltration by enticing a victim to view a maliciously crafted rule. How to fix Sensitive Cookie Without "HttpOnly" Flag? Upgrade `rucio-webui` to version 35.8.3, 38.5.4, 39.3.1 or higher.	[,35.8.3)[36.0.0rc1,38.5.4)[39.0.0rc1,39.3.1)
M Information Exposure Affected versions of this package are vulnerable to Information Exposure via the `login` process. An attacker can determine the existence of valid usernames by submitting login attempts and analyzing the differences in error messages returned by the system. How to fix Information Exposure? Upgrade `rucio-webui` to version 35.8.3, 38.5.4, 39.3.1 or higher.	[,35.8.3)[36.0.0rc1,38.5.4)[39.0.0rc1,39.3.1)
M Information Exposure Affected versions of this package are vulnerable to Information Exposure such that authentication tokens are leaked to other users accessing the 'webui' within a close timeframe, thus allowing users to access the `webui` with the leaked authentication token. Privileges are therefore also escalated. Note: Rucio server / daemons are not affected by this issue. How to fix Information Exposure? Upgrade `rucio-webui` to version 1.26.7 or higher.	[1.26.0,1.26.7)
H Authentication Bypass Affected versions of this package are vulnerable to Authentication Bypass. A potential leak of the contents of cookies to other sessions within a `wsgi` container. `Rucio` authentication tokens are leaked to other users accessing the `webui` within a close timeframe, thus allowing users to access the `webui` with the leaked authentication token. Privileges are therefore also escalated. How to fix Authentication Bypass? Upgrade `rucio-webui` to version 1.26.7 or higher.	[1.26.0,1.26.7)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the rendering of attacker-controlled input in Custom RSE Attribute. An attacker can execute arbitrary JavaScript in the context of the WebUI by injecting malicious payloads that are stored and later rendered to authenticated users. This may lead to session token theft, unauthorized actions, or exfiltration of sensitive data when a user views a compromised resource.

How to fix Cross-site Scripting (XSS)?

Upgrade rucio-webui to version 35.8.3, 38.5.4, 39.3.1 or higher.