XSS Vulnerability: Ceros Scroll Proxy
Summary
Ceros has released a security update to resolve one cross-site scripting (XSS) vulnerability affecting proprietary code referred to as the Ceros “Scroll Proxy,” which affected both exported content and content that utilizes a self-hosted version of the Scroll Proxy (scroll-proxy.js).
XSS attacks allow an attacker to run malicious javascript on another user’s browser. The malicious script could capture cookies or session tokens, or rewrite the content of the page. A vulnerability refers to the possibility of exposure to an XSS attack. Read more about XSS here.
Analysis
Ceros confirmed a Proof-of-concept (PoC) code that demonstrates a theoretical exploit of this vulnerability (PoC available upon request).
Ceros is not aware of any successful exploitation happening in the wild or of any breach of internal or customer data.
Exploitation of this vulnerability would require that a malicious iFrame hosted on the same page as a Ceros iFrame is specifically targeting Ceros content to perform an XSS attack on the parent page. While this is an unlikely scenario, it would have been theoretically possible prior to this patch release.
Solution
At 4 PM EDT on August 2, 2019, Ceros released a patched build to its production environment to remediate the vulnerability and took additional steps to revise how embedded experiences speak to the scroll proxy. This response was immediate and the Ceros team was able to remediate this vulnerability within 24 hours of discovery.
If you are using a standard Ceros embed code, you don’t need to do anything.
However, if you are self-hosting the Scroll Proxy, you will need to re-export to upgrade to the patched version to remediate this vulnerability.
Safeguards
Ceros is performing a full root cause analysis and a formal review of security testing procedures to avoid this type of vulnerability in the future.
If you discover a vulnerability in any Ceros product, please let us know at security@ceros.com.
Should you have any questions or need help remediating this vulnerability, please email support@ceros.com.
XSS Vulnerability: Exported Experiences
Summary
Ceros has released a security update to resolve one cross-site scripting (XSS) vulnerability affecting Internet Explorer browsers and exported, self-hosted Ceros Experiences.
XSS attacks allow an attacker to run malicious javascript on another user’s browser. The malicious script could capture cookies or session tokens, or rewrite the content of the page. A vulnerability refers to the possibility of exposure to an XSS attack. Read more about XSS here.
Analysis
Ceros confirmed a Proof-of-concept (PoC) code that demonstrates a theoretical exploit of this vulnerability (PoC available upon request).
Ceros is not aware of any successful exploitation happening in the wild or of any breach of internal or customer data.
Solution
At 10 PM EDT on July 31, 2019, Ceros released a patched build to its production environment to remediate the vulnerability for any newly exported experiences. This response was immediate and the Ceros team was able to remediate this vulnerability within 24 hours of discovery.
Because exported Ceros content is no longer managed by Ceros, we are unable to retroactively apply this fix to experiences exported prior to 4 PM EDT on August 2nd, 2019.
In order to completely resolve your vulnerability, you must re-export and replace all Ceros Experiences that are hosted outside of Ceros, as well as any CDE files that you are self-hosting. Please consult our guide to exporting experiences.
If you have a large quantity of experiences to export, we have developed a script that can patch all exported experiences. This script can only be run by a developer or a system administrator. If you have such a person, please reach out to support@ceros.com for more information.
Safeguards
Ceros is performing a full root cause analysis and a formal review of security testing procedures to avoid this type of vulnerability in the future.
If you discover a vulnerability in any Ceros product, please let us know at security@ceros.com.
Should you have any questions or need help remediating this vulnerability, please email support@ceros.com.
Account Color Palette
In addition to the Experience Color palette, Studio users now have the ability to save a color swatch to be shared across experiences. Any color added to Account Colors within an experience will immediately be available in the palette, across all other experiences in the account.
Google Tag Manager User Toggle
We now allow users to toggle the initialization of Google Tag Manager on an embedded page view. In the case that the parent page is already configured with Google Tag Manager/Google Analytics, you may disable this feature to prevent double reporting of page views.
Log GTM/GA calls to browser console in Previewer
For accounts that have configured Google Analytics/Google Tag Manager, we will now display all submitted calls in the Browser console when using Ceros Previewer. This will allow you to preview both your experience and your data to ensure your analytics integration is configured correctly.
ChartBlocks for Ceros
Our ChartBlocks integration now allows users to view and embed charts through a new integration panel in the Studio. This integration only supports embedding; users will need to go directly through their ChartBlocks account to create or modify a chart.
All Ceros clients have the Enterprise ChartBlocks plan included at no cost. Please contact your Customer Success Manager to enable your integration.