Ext JS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2018-8046 - Vulnerability Database

Ext JS

Ext JS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2018-8046

Medium

Reference: CVE-2018-8046

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2018-8046

Title: Ext JS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability

Overview:

The getTip() method of Action Columns of Sencha Ext JS 4 to 6 before 6.6.0 is vulnerable to XSS attacks even when passed HTML-escaped data. This framework brings no built-in XSS protection so the developer has to ensure that data is correctly sanitized. However the getTip() method of Action Columns takes HTML-escaped data and un-escapes it. If the tooltip contains user-controlled data an attacker could exploit this to create a cross-site scripting attack even when developers took precautions and escaped data.