On August 30th, 2023 the advanced search functionality used for community.delphix.com and academy.delphix.com was found to suffer from a reflected XSS vulnerability: certain user input was not being properly sanitized in a search parameter. The advanced search functionality was immediately disabled while a fix was worked on. This was resolved by implementing additional controls to validate and sanitize user input.
This type of vulnerability has the potential to be quite serious and can lead to execution of malicious code in the victim’s browser tab without their knowledge or consent. However, In this case there are several important mitigating factors that limit impact:
-
Reflected XSS is temporal and requires some level of targeting of both the affected site and the potential victim(s).
-
The scope of impact is limited because modern browsers implement sandboxing which prevents malicious scripts from interacting with other pages open in other tabs.
-
Relevant security headers and cookie settings are in place to instruct the browser to protect sensitive cookies from scripts and block cross-site interactions.
-
Initial testing of the vulnerability indicated that the relevant security settings were effective at preventing proof-of-concept exploit code from accessing sensitive cookies, or exfiltrating information from the browser.
As part of our commitment to transparency and trust, we’re publishing this security vulnerability notice and corresponding analysis.
#vulnerablility
#xss