Cross-site scripting vulnerability in Google Web Toolkit (CVE-2012-5920)
Description
A Cross-Site Scripting (XSS) vulnerability exists in Google Web Toolkit (GWT) versions 2.4 through 2.5 Final that allows attackers to inject malicious scripts into web applications. This vulnerability affects applications built with GWT, including JBoss Operations Network (ON) 3.1.1 and potentially other enterprise products. This issue represents an incomplete fix for a previously identified vulnerability (CVE-2012-4563), meaning the original security patch did not fully address the underlying problem.
Remediation
Take the following steps to remediate this vulnerability:
1. Upgrade GWT: Update to GWT version 2.5.1 or later, which contains the complete fix for this vulnerability. Review the official GWT release notes to ensure compatibility with your application.
2. Verify the Fix: After upgrading, test all user input handling and output rendering functionality to confirm that the vulnerability has been resolved.
3. Review Application Code: Audit your application for proper input validation and output encoding practices. Ensure all user-supplied data is properly sanitized before being rendered in the browser.
4. Apply Defense-in-Depth: Implement Content Security Policy (CSP) headers to provide an additional layer of protection against XSS attacks, even if vulnerabilities exist in the framework.
5. Security Testing: Conduct thorough security testing, including XSS-specific test cases, after applying the upgrade to validate that the application is no longer vulnerable.
For organizations unable to upgrade immediately, consult the vendor's security advisories for temporary workarounds or compensating controls.