geode-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jared Stewart (JIRA)" <>
Subject [jira] [Commented] (GEODE-1532) Pulse is vulnerable to clickjacking
Date Tue, 27 Sep 2016 18:47:20 GMT


Jared Stewart commented on GEODE-1532:

I have this fixed on a [branch |],
but it needs to wait for post 9.0 Beta to be merged in since it required bumping spring-security

> Pulse is vulnerable to clickjacking
> -----------------------------------
>                 Key: GEODE-1532
>                 URL:
>             Project: Geode
>          Issue Type: Bug
>          Components: pulse
>            Reporter: Swapnil Bawaskar
>            Assignee: Jared Stewart
> The Pulse application is vulnerable to clickjacking. An attacker could frame in the web
application and highjack a click, tricking a client into making an unintentional transaction.
Attackers exploit this vulnerability by loading target pages in IFRAMEs but keeping them hidden,
and then orienting the frame so that a user click on the embedding page is routed to a UI
control on the embedded page. The attack will be hidden from the user and perpetrated without
the user’s knowledge.

This message was sent by Atlassian JIRA

View raw message