Security scan turned up several flaws

Fixed in

EPiServer.Marketing.Testing 2.5.9

Created

Mar 05, 2019

Updated

Apr 19, 2019

State

Closed, Fixed and tested


Description

Description

A function call contains an HTTP response-splitting flaw. Writing untrusted input to an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and cross-site scripting attacks.

Recommendations

Remove unexpected carriage returns and line feeds from untrusted data used to construct an HTTP response. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.

Offender:

episerver.marketing.testing.web.dll
void AddCookie(System.Web.HttpCookie)

episerver.marketing.connector.dll
void UpsertTrackingCookie(string, string,System.Collections.Generic.List<Connector.Framework.Data.CookieData>)

Possible Offender:

episerver.marketing.kpi.dll
episerver_marketing_kpi_dll.EPiServer.Marketing.KPI.Common.StickySiteKpi
void AddSessionOnLoadedContent(object sender, ContentEventArgs e)