Delphix Community Platform

 View Only

Security Notice for Community & Academy (2023-09-18)

By Michael Torok posted 09-18-2023 10:19:58 AM


On August 30th, 2023 the advanced search functionality used for and was found to suffer from a reflected XSS vulnerability: certain user input was not being properly sanitized in a search parameter. The advanced search functionality was immediately disabled while a fix was worked on.  This was resolved by implementing additional controls to validate and sanitize user input.


This type of vulnerability has the potential to be quite serious and can lead to execution of malicious code in the victim’s browser tab without their knowledge or consent. However, In this case there are several important mitigating factors that limit impact:

  • Reflected XSS is temporal and requires some level of targeting of both the affected site and the potential victim(s).  

  • The scope of impact is limited because modern browsers implement sandboxing which prevents malicious scripts from interacting with other pages open in other tabs. 

  • Relevant security headers and cookie settings are in place to instruct the browser to protect sensitive cookies from scripts and block cross-site interactions.

  • Initial testing of the vulnerability indicated that the relevant security settings were effective at preventing proof-of-concept exploit code from accessing sensitive cookies, or exfiltrating information from the browser.

As part of our commitment to transparency and trust, we’re publishing this security vulnerability notice and corresponding analysis.


1 comment



10-18-2023 01:46:01 PM

We engaged a third-party Pentest team to test both the vulnerable and the current patched version of federated search on the site. The thrid-party team confirmed our initial findings that there was not a path to exfiltrate information nor access granted to sensitive cookies.

We consider this vulnerability resolved.