Try our conversational search powered by Generative AI!

AI OnAI Off

Profile API: Throws 500 code when sending export Segment request with security SegmentId

Fixed in

EPiServer.Profiles.Client 1.7.0

(Or a related package)

Created

Jul 06, 2018

Updated

Nov 30, 2018

State

Closed, Fixed and tested

Description

Steps to reproduce

  1. Do a query with:
  • Method: GET
  • Url: /api/v1.0/segments/@segmentId/export/segmentId with data as below:

segmentId=<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
segmentId=1' or '1'='1
segmentId=< abc123 >

Expected:
It shows Not Found.

Actual:
It shows:
{
"error":

{ "code": "500", "message": "Server error occurred.", "target": "", "details": [] }

}