Time: 10:00 am, Eastern Time
Join Zoom Meeting
https://lyrasis.zoom.us/j/81398228834?pwd=SE0wdFN3NnFVbEhYVUhuM3BtQmVUQT09
Meeting ID: 813 9822 8834
Passcode: 728426
Indicating note-taker
The penetration testers contacted me with an additional finding for the VIVO server. This one relates to a issue with input not being sanitized for special characters, which could then be used to exploit the site. They consider this a high severity vulnerability and documenting it as a reflected cross site scripting vulnerability. The provided an example of exploiting the issue with the below URL.https://vivo.mydomain.edu/visualizationAjax?vis=capabilitymap&query=291822&callback=ipretResultsoesic<script>alert(1)<%2fscript>cwz3i&noCacheIE=1687235208332
A couple of new issues have been recorded related to the Vitro code base. All have been resolved and merged into the main branch. Dragan will generate VIVO 1.14.0 Release candidate 4.
The vulnerability https://vivo.mydomain.edu/visualizationAjax?vis=capabilitymap&query=291822&callback=ipretResultsoesic<script>alert(1)<%2fscript>cwz3i&noCacheIE=1687235208332 is still present in VIVO 1.14.0 release candidate. Not sure what is causing this issue. Dragan will respond to slack message.
Probably claiming publication is linked with privileges to edit a profile. Once this PR (https://github.com/vivo-project/VIVO/pull/3887) is merged, it will be quite easy to define this as a separate privilege. Therefore, this issue might be resolved by configuration of VIVO 1.15.0+. Georgy can present how it might be done after summer break.