Hi Frappe Community,
During a recent security review, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the Website settings feature. This issue has been resolved as follows:
- Access Restriction: The Website settings feature is now accessible only to the Super-Admin user.
- Content Validation: A new validation has been implemented to deny adding HTML content to these settings, effectively mitigating XSS risks.
Feedback and Recommendations:
- The penetration testing team has confirmed that these measures are sufficient, marking the issue as resolved.
- The SEM team has downgraded the risk to Low as of 27-11-24.
- However, feedback from Livelawbazar on 30-11-24 recommends creating a ticket for the Frappe core team to further review and enhance this fix.
Proposal:
We suggest discussing whether any additional enhancements are required, such as:
- Regular security audits for the Website settings feature.
- Further refining input validation mechanisms to align with evolving security best practices.
Would it be appropriate to create a ticket for the Frappe core team to track this issue? If so, are there any specific guidelines for submitting security-related feature requests or fixes?
Looking forward to hearing your thoughts!
Best regards,
Nakul P Kumar
Faircode Infotech Pvt. Ltd.