Highlighted

Captivate 2019 output cross-site scripting and injection flaws in security scan

New Here ,
Apr 06, 2020

Copy link to clipboard

Copied

Hi - We recently upgraded to Captivate 2019 to update some old video content. Our Fortify On-Demand (FOD) security scan has flagged two files with High and Critical security flaws. I've searched the forum but can't find any reference to these issues in a later version of Captivate. I had hoped that by upgrading we wouldn't have these issues.

 

We are using these HTML5 videos on our web site as standalone introductions to our app, not part of an LMS.

 

FILE: CPXHRLoader.js
ISSUE: High severity Cross-Site Scripting: DOM on line 37. (Read g.href - Assignment to g.innerHTML)

I assume this is the section of code:

(h.a[b]=g.href,t()):(g.innerHTML='@import "'+r+'";',s(g))

 

FILE: Index.html
ISSUE: Critical severity Open Redirect on line 55.
ISSUE: High severity Cross-Site Scripting: DOM on line 55. (Read request.response - Assignment to window.location.href)

window.location.href = window.location.protocol + "//" + window.location.host + "/livepreview/" + response.folder + "/index.html";

 

 

Views

99

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Captivate 2019 output cross-site scripting and injection flaws in security scan

New Here ,
Apr 06, 2020

Copy link to clipboard

Copied

Hi - We recently upgraded to Captivate 2019 to update some old video content. Our Fortify On-Demand (FOD) security scan has flagged two files with High and Critical security flaws. I've searched the forum but can't find any reference to these issues in a later version of Captivate. I had hoped that by upgrading we wouldn't have these issues.

 

We are using these HTML5 videos on our web site as standalone introductions to our app, not part of an LMS.

 

FILE: CPXHRLoader.js
ISSUE: High severity Cross-Site Scripting: DOM on line 37. (Read g.href - Assignment to g.innerHTML)

I assume this is the section of code:

(h.a[b]=g.href,t()):(g.innerHTML='@import "'+r+'";',s(g))

 

FILE: Index.html
ISSUE: Critical severity Open Redirect on line 55.
ISSUE: High severity Cross-Site Scripting: DOM on line 55. (Read request.response - Assignment to window.location.href)

window.location.href = window.location.protocol + "//" + window.location.host + "/livepreview/" + response.folder + "/index.html";

 

 

Views

100

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
New Here ,
Apr 09, 2020

Copy link to clipboard

Copied

I received a private message on the forum to contact support via email, but have not heard back. 

Note that someone sent the PM the same day (April 6), but it did not generate an email notification to me, and I only saw it when I logged back in two days later.  

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Resources
Captivate User Guide
New Group