We appreciate you taking the time to vote and add your suggestions to make our products awesome! Your request will be submitted to the community for review and inclusion into the backlog.

We recommend reviewing what is submitted before posting, in case your idea has already been submitted by another community member. If it has been submitted, vote for that existing feature request (by clicking the up arrow) to increase its opportunity of being added to Cireson solutions.

For more information around feature requests in the Cireson Community click here.

Sanitize Text Fields to Protect Against XSS Attacks

Nick_Flint

Nick_Flint Customer Advanced IT Monkey ✭✭✭

October 2019 in Service Manager Portal Feature Requests

HTML tags are very useful in the portal, but currently the portal is vulnerable to persistent cross-site scripting (pXSS) and other XXS attacks by anyone that can access the portal. Specifically comments, descriptions and other text fields.

With this vulnerability, an insider could perform pXSS to do a variety of malicious actions. These actions could include denial of service, malvertising, and malware redirection.

Please update the portal to sanitize user input fields prior to committing them to SCSM.

8

8

8 votes

Submitted · Last Updated October 2019

Comments

Peter_Miklian Customer Advanced IT Monkey ✭✭✭

March 2020

Our penetration testers identified this 'stored XSS' vulnerability, too. Not nice 😕

0

Sign In or Register to comment.

CIRESON COMMUNITY WEB SITE

TERMS OF USE

AGREEMENT BETWEEN USER AND CIRESON

The Cireson Community Web Site is comprised of various web pages operated by Cireson, LLC (collectively, the web pages are referred to herein as the “Cireson Community Web Site”).

The Cireson Community Web Site is offered to you conditioned on your acceptance of the terms, conditions, and notices contained herein without modification or exception. Your use of the Cireson Community Web Site constitutes your agreement to all such terms, conditions, and notices contained in these Terms of Use.

MODIFICATION OF THESE TERMS OF USE

Cireson reserves the right to change the terms, conditions, and notices under which the Cireson Community Web Site is offered, including but not limited to the charges associated with the use of the Cireson Community Web Site upon written notice.

LINKS TO THIRD PARTY SITES

The Cireson Community Web Site may contain links to other Web Sites (“Linked Sites”). The Linked Sites are not under the control of Cireson and therefore Cireson is not responsible for the contents of any Linked Site, including, without limitation, any link contained in a Linked Site, or any changes or updates to a Linked Site. Cireson is not responsible for webcasting or any other form of transmission received from any Linked Site. Cireson is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Cireson of the site or any association with its operators.

NO UNLAWFUL OR PROHIBITED USE

As a condition of your use of the Cireson Community Web Site, you warrant to Cireson that you will not use the Cireson Community Web Site for any purpose that is prohibited by law, rule regulation or by any of these terms, conditions, and notices, including, without limitation the export of any Software or technical data to any country prohibited by law. You may not use the Cireson Community Web Site in any manner which could damage, disable, overburden, or impair the Cireson Community Web Site or interfere with any other party’s use and enjoyment of the Cireson Community Web Site. You may not obtain or attempt to obtain any materials or information through any means not intentionally made available or provided for through the Cireson Community Web Site.

USE OF COMMUNICATION SERVICES

The Cireson Community Web Site may contain bulletin board services, chat areas, news groups, forums, communities, personal web pages, calendars, and/or other message or communication facilities designed to enable you to communicate with the public at large or with a group (each a “Communication Service,” and collectively, “Communication Services”). You agree to use the Communication Services only to post, send and receive messages and material that are appropriate, proper and related to the particular Communication Service. By way of example, and not as a limitation, you agree that when using a Communication Service, you will not:

Defame, abuse, harass, stalk, threaten or otherwise violate the legal rights (such as rights of privacy and publicity) of others.
Publish, post, upload, distribute or disseminate any inappropriate, profane, defamatory, infringing, obscene, indecent or unlawful topic, name, material or information.
Upload files that contain software or other material protected by intellectual property laws (or by rights of privacy of publicity) unless you own or control the rights thereto or have received all necessary consents.
Upload files that contain viruses, corrupted files, or any other similar software or programs that may damage the operation of another’s computer.
Advertise or offer to sell or buy any goods or services for any business purpose, unless such Communication Service specifically allows such messages.
Conduct or forward surveys, contests, pyramid schemes or chain letters.
Download any file posted by another user of a Communication Service that you know, or reasonably should know, cannot be legally distributed in such manner.
Falsify or delete any author attributions, legal or other proper notices or proprietary designations or labels of the origin or source of software or other material contained in a file that is uploaded.
Restrict or inhibit any other user from using and enjoying the Communication Services.
Violate any code of conduct or other guidelines which may be applicable for any particular Communication Service.
Harvest or otherwise collect information about others, including e-mail addresses, without their consent.
Violate any applicable laws, rules or regulations.

Cireson has no obligation to monitor the Communication Services. However, Cireson reserves the right to review materials posted to a Communication Service and to remove any materials in its sole discretion. Cireson reserves the right to suspend or terminate your access to any or all of the Communication Services at any time without notice for any reason whatsoever.

Cireson reserves the right at all times to disclose any information as necessary to satisfy any applicable law, rule, regulation, legal process or governmental request, or to edit, refuse to post or to remove any information or materials, in whole or in part, in Cireson’s sole discretion.

Always use caution when giving out any personally identifying information about yourself or your children in any Communication Service. Always use caution when giving out any information concerning your employer or customers, if any. Cireson does not control or endorse the content, messages or information found in any Communication Service and, therefore, Cireson specifically disclaims any liability with regard to the Communication Services and any actions resulting from your participation in any Communication Service. Managers and hosts are not authorized Cireson spokespersons, and their views do not necessarily reflect those of Cireson.

Materials uploaded to a Communication Service may be subject to posted limitations on usage, reproduction and/or dissemination. You are responsible for adhering to such limitations if you download the materials.

MATERIALS PROVIDED TO CIRESON OR POSTED ON THE CIRESON COMMUNITY WEB SITE

Cireson does not claim ownership of the materials you provide to Cireson via the Cireson Community Web Site (including feedback and suggestions) or post, upload, input or submit to the Cireson Community Web Site or its associated services (collectively “Submissions”). However, by posting, uploading, inputting, providing or submitting your Submission you are granting Cireson, its affiliated companies and sublicensees permission to use your Submission in connection with the operation of their Internet businesses including, without limitation, the rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate and reformat your Submission; and to publish your name in connection with your Submission.

No compensation will be paid with respect to the use of your Submission, as provided herein. Cireson is under no obligation to post or use any Submission you may provide and may remove any Submission at any time in Cireson’s sole discretion.

By posting, uploading, inputting, providing or submitting your Submission you warrant and represent that you own or otherwise control all of the rights to your Submission as described in this section including, without limitation, all the rights necessary for you to provide, post, upload, input or submit the Submissions.

LIABILITY DISCLAIMER

THE INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES INCLUDED IN OR AVAILABLE THROUGH THE CIRESON COMMUNITY WEB SITE MAY INCLUDE INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. CIRESON (OR ITS SUPPLIERS) MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE CIRESON COMMUNITY WEB SITE AT ANY TIME. ADVICE RECEIVED VIA THE CIRESON COMMUNITY WEB SITE SHOULD NOT BE RELIED UPON FOR PERSONAL, MEDICAL, LEGAL OR FINANCIAL DECISIONS AND YOU SHOULD CONSULT AN APPROPRIATE PROFESSIONAL FOR SPECIFIC ADVICE TAILORED TO YOUR SITUATION.

NEITHER CIRESON NOR ANY OF ITS SUPPLIERS MAKE ANY REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, AVAILABILITY, TIMELINESS, AND ACCURACY OF THE INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS CONTAINED ON THE CIRESON COMMUNITY WEB SITE FOR ANY PURPOSE. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ALL SUCH INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS ARE PROVIDED “AS IS” WITHOUT WARRANTY OR CONDITION OF ANY KIND. CIRESON AND/OR ITS SUPPLIERS HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL CIRESON AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OR PERFORMANCE OF THE CIRESON COMMUNITY WEB SITE, WITH THE DELAY OR INABILITY TO USE THE CIRESON COMMUNITY WEB SITE OR RELATED SERVICES, THE PROVISION OF OR FAILURE TO PROVIDE SERVICES, OR FOR ANY INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS OBTAINED THROUGH THE CIRESON COMMUNITY WEB SITE, OR OTHERWISE ARISING OUT OF THE USE OF THE CIRESON COMMUNITY WEB SITE, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF CIRESON OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES. BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. IF YOU ARE DISSATISFIED WITH ANY PORTION OF CIRESON COMMUNITY WEB SITE, OR WITH ANY OF THESE TERMS OF USE, YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USING THE CIRESON COMMUNITY WEB SITE.

SERVICE CONTACT: team@cireson.com

TERMINATION/ACCESS RESTRICTION

Cireson reserves the right, in its sole discretion, to terminate your access to the Cireson Community Web Site and the related services or any portion thereof at any time, without notice.

GENERAL

To the maximum extent permitted by law, this agreement is governed by the laws of the State of California, U.S.A. and you hereby consent to the exclusive jurisdiction and venue of courts in San Diego County, California, U.S.A. in all disputes arising out of or relating to the use of the Cireson Community Web Site. Use of the Cireson Community Web Site is unauthorized in any jurisdiction that does not give effect to all provisions of these terms and conditions, including without limitation this paragraph. You agree that no joint venture, partnership, employment, or agency relationship exists between you and Cireson as a result of this agreement or use of the Cireson Community Web Site. Cireson’s performance of this agreement is subject to existing laws and legal process, and nothing contained in this agreement is in derogation of Cireson’s right to comply with governmental, court and law enforcement requests or requirements relating to your use of the Cireson Community Web Site or information provided to or gathered by Cireson with respect to such use. If any part of this agreement is determined to be invalid or unenforceable pursuant to applicable law including, but not limited to, the warranty disclaimers and liability limitations set forth above, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of the agreement shall continue in effect. Unless otherwise specified herein, this agreement constitutes the entire agreement between the user and Cireson with respect to the Cireson Community Web Site and it supersedes all prior or contemporaneous communications and proposals, whether electronic, oral or written, between the user and Cireson with respect to the Cireson Community Web Site. A printed version of this agreement and of any notice given in electronic form shall be admissible in judicial or administrative proceedings based upon or relating to this agreement to the same extent and subject to the same conditions as other business documents and records originally generated and maintained in printed form. It is the express wish to the parties that this agreement and all related documents be drawn up in English.

COPYRIGHT AND TRADEMARK NOTICES:

All contents of the Cireson Community Web Site are: Copyright 2016 by Cireson, LLC and/or its suppliers. All rights reserved.

TRADEMARKS

The names of actual companies and products mentioned herein and on the Cireson Community Web Site may be the trademarks of their respective owners.

The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred.

Any rights not expressly granted herein are reserved.

NOTICES AND PROCEDURE FOR MAKING CLAIMS OF COPYRIGHT INFRINGEMENT

Cireson respects the intellectual property of others and asks that users of the Cireson Community Web Site do the same. In connection with the Cireson Community Web Site, we have adopted and implemented a policy respecting copyright law that provides for the removal of any infringing materials and for the termination, in appropriate circumstances, of users of the Cireson Community Web Site who are repeat infringers of intellectual property rights, including copyrights. If you believe that one of the Cireson Community Web Site users is, through the use of the Cireson Community Web Site, unlawfully infringing the copyright(s) in a work, and wish to have the allegedly infringing material removed, the following information in the form of a written notification (pursuant to 17 U.S.C. § 512(c)) must be provided to our designated Copyright Agent:

your physical or electronic signature;
identification of the copyrighted work(s) that you claim to have been infringed;
identification of the material on our services that you claim is infringing and that you request us to remove;
sufficient information to permit us to locate such material;
your address, telephone number, and e-mail address;
a statement that you have a good faith belief that use of the objectionable material is not authorized by the copyright owner, its agent, or under the law; and
a statement that the information in the notification is accurate, and under penalty of perjury, that you are either the owner of the copyright that has allegedly been infringed or that you are authorized to act on behalf of the copyright owner.

Please note that, pursuant to 17 U.S.C. § 512(f), any misrepresentation of material fact (falsities) in a written notification automatically subjects the complaining party to liability for any damages, costs and attorney’s fees incurred by us in connection with the written notification and allegation of copyright infringement.

Designated Agent: Matthew W. Deen, Esq.

Address of Agent: 1620 Fifth Avenue, Suite 875, San Diego, CA 92101

Telephone: 619-993-8873

Fax: 888-244-8458

Email: matt.deen@cireson.com