Reflected Cross-Site Scriptingredis-commander
Affected versions of
redis-commander contain a cross-site scripting vulnerability in the
highlighterId paramter of the clipboard.swf component on hosts serving Redis Commander.
Mitigating factors: Flash must be installed / enabled for this to work. The below proof of concept was verified to work using Firefox 57.0 on Windows 10 by manually installing the Flash NPAPI Windows plugin
Proof of concept
No direct patch for this vulnerability is currently available.
At this time, the best mitigation is to use an alternative, functionally equivalent package, or to use extreme caution when using redis-commander, ensuring that redis-commmander is the only web page you have open, and avoiding clicking on any links.
publishedAdvisory publishedJan 23rd, 2018
reportedInitial report by Yasin Soliman (ysx)Jan 23rd, 2018