Cross-Site Scripting vulnerability

by Lars Holm Nielsen, on July 15, 2019


On June 30th, one of our users, Ciro Santilli, reported that he had discovered a Cross-Site Scripting (XSS) vulnerability in Zenodo. We immediately fixed the vulnerability by July 1st and we also verified that the vulnerability was not exploited by malicious users.

What is Cross-Site Scripting (XSS)?

XSS is one of the most common type of vulnerabilities in web applications. A XSS vulnerability is a type of vulnerability where a malicious user is able to inject a client-side script into a website like Zenodo. This will make a victims browser execute the script, which can be used to e.g. hijack user sessions or redirect the victim to a malicious site.

How was the vulnerability discovered?

The issue was reported to us on July 30th by Ciro Santilli. We would like to send a special thank you to Ciro for discovering the issue and responsibly disclosing it to us.

Was the XSS vulnerability exploited?

No. We have scanned our database for malicous use of the vulnerability and have not found any indications on that it was exploited in any way.

Is Zenodo secure to use?

Yes. We take security very serious and do our best to protect your data (read more about what we do on http://about.zenodo.org/infrastructure/).

How do I report a possible security incident?

Please report it directly to us via https://zenodo.org/support. Especially, we ask you to not report it in a public fashion, in order to give us time to deploy a fix for the issue.

How do you handle a reported security incident?

Once we receive your report, we will acknowledge the receipt. We will then proceed to verify the issue and if needed implement and deploy a fix. Once the issue has been fixed, we will publicly disclose the issue via a blog post and atttribute the discovery to you (if you wish to be credited).

Why did it take 14 days to communicate?

The public disclosure of the issue has been coordinated with security relases of Invenio, which is the underlying framework that Zenodo is based on.

As a standard measure and after patching Zenodo, we reviewed the Invenio source code for potential similar issues to those identified in Zenodo. This led to the discovery of three additional XSS vulnerabilities.

See details on http://inveniosoftware.org/blog/security-advisor-20190715/.