Cross Site Scripting Issue on Windchill UI

GV_10400811 · ‎Jul 23, 2024

I am using Windchill PDMLink Release 12.0 and Datecode with CPS 12.0.1.0

During Penetration testing, getting Cross Site Scripting (XSS) vulnerability issue on one of the customized UI Pages in Windchill.

Here are the errors that I faced
During Penetration testing, when the Windchill payload is changed via burp suite tool, It is observed that user can add any alert script in the payload and send the request which will cause change in the request and making the system vulnerable to the attackers/hackers

Marco_Tosin · ‎Jul 23, 2024

It is always a good idea, for security reasons, to avoid going into detail about possible problems such as the one you are reporting.

Also, the user community is not the right place to write this information.

If you believe that a security problem exists, you should open a case to support, who will guide you in a possible temporary solution and possibly proceed to make a patch for all other users.

Marco

Catalina · ‎Jul 26, 2024

Hi @GV_10400811,

I wanted to see if you got the help you needed.

If so, please mark the appropriate reply as the Accepted Solution. It will help other members who may have the same question.
Please note that industry experts also review the replies and may eventually accept one of them as solution on your behalf.
Of course, if you have more to share on your issue, please pursue the conversation.

Thanks,

Catalina
PTC Community Moderator