Shopping Cart

No products in the cart.

Quality Clouds Community
Quality Clouds Community

XSS Vulnerability In Ext JS Action Column getTip

< 1 min read

Impact Area

Security

 

 

 

Severity

High

 

 

 

Affected Element

ServiceNow

UI Script

Salesforce

Static Resource

Rule number

SN-JSL-002 (for ServiceNow)

SF-JSL-002 (for Salesforce)

Impact #

The getTip() method of Action Columns of Sencha Ext JS 4 to 6 before 6.6.0 is vulnerable to XSS attacks, even when passed HTML-escaped data. The getTip() method of Action Columns takes HTML-escaped data and un-escapes it. If the tool tip contains user-controlled data, an attacker could exploit this to create a cross-site scripting attack, even when developers took precautions and escaped data.

Remediation #

Upgrade to Ext JS version 6.6.0 or later. There is no code fix for this vulnerability, other than ensuring that the getTip() method is never used.

References #

This rule is linked to Common Weakness Enumeration CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’).

Updated on March 21, 2025
Table of contents
Was it helpful ?

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups

Please allow a few minutes for this process to complete.

Report

You have already reported this .