Tab characters in the Vulnerability Name cause Vulnerability Findings area to become non-responsive

[gKelsoCsiro]

Description:
The TAB character breaks the finding page when it's used as part of a Vulnerabilities name. This was found when copying a finding name from a MS Word template directly in.

POC:
The following POST data when sent to http://localhost:9000/portal/updateVulnerability will cause the issue.
vulnid=12&title=This is a Test asdf&_token=75779572-290f-4d62-a0cf-7011e4b59fe7

Screenshot:

The screenshot above shows the "You appear offline" popup and prevents interaction with the web browser.

Current work arounds:

• Ensure you don't copy-paste a tab into the Vulnerability Name
• Delete the finding once it's ID is determined via a direct request.

Further details:

Commit hash: 137d9fa
Branch name: main
Date of checkout: 10/10/2024 - AEST (Australian Eastern Standard Time)

Other:
Have tested using a container image hosted on *nix and Windows environments.
Testing has confirmed issue in Ms Edge and Chromium.

[summitt]

Try the newest release 1.3.26 and let me know if the issue persists.

[gKelsoCsiro]

Hi there,

Many thanks for the prompt response.

I've updated to the latest release.
Behaviour is now the following:
We can now create a Vulnerability with the TAB character in it's title; however

• Once the title is set, you're unable to modify it;
• It appears that the auto-post for the other fields in the vulnerability also stops working;
• Manually pushing a POST request to update the vulnerability is also ignored.; and
• On the bright side, I can now delete the vulnerabilities from the web interface, which means it's easier to fix when "manually importing" from word docs.

Again, many thanks for the assistance thus far.

[summitt]

I think we got it everywhere now :) ... @gKelsoCsiro see if 1.3.27 fixes this last issue.

[gKelsoCsiro]

Hey there,
I just did a full git pull and rebuild. It appears that the issue still remains.

I can delete the findings from the web interface. So that makes an easy work around.

However once a TAB character appears in the title, it breaks.

Entering new finding: (Can set CVSS score and title. Attempted to set a Vulnerability Description):

Upon navigating away from the finding, then back to it, it sets itself into a strange state in the web interface:

I'm using the same payload as mentioned in the first note: This is a Test asdf

Happy to keep testing things as this goes along.

[summitt]

Thanks for testing. I'll be trying to reproduce and get back to you.

[summitt]

I'm still unable to recreate this on the updated versions. Have you tried clearing cache? Hoping it's just the old javascript causing issues.

[gKelsoCsiro]

Excellent suggestion on purging the Cache. I should have thought of that before re-testing last time.
Apologies for that extra work. It's always appreciated. I've added that to my "You really need to remember to do this before pestering Developers anywhere" list.

In short: Fixed. Many thanks and much Kudos.