In recent news, concerns have been raised regarding cross-site scripting (XSS) vulnerabilities in the Gallup polling company’s website, which could potentially be exploited by malicious actors. The cybersecurity researchers at Checkmarx identified these vulnerabilities and promptly notified Gallup’s incident response team to address the issue.
According to Checkmarx’s report on Sept. 9, the first XSS flaw discovered was a reflected XSS bug with a CVSS score of 6.5 out of 10. The second vulnerability identified was a document object model (DOM)-based XSS vulnerability with a CVSS score of 5.4. These vulnerabilities, although serious, do not pose a threat to Gallup’s internal data or polling operations.
Specifically, the researchers found that the /kiosk.gx endpoint on the website failed to properly sanitize or encode the query string ALIAS parameter value, leaving it susceptible to exploitation. Additionally, the endpoint did not adequately protect query parameter values before inserting them into the page, opening the door to potential XSS attacks.
In response to these findings, Checkmarx recommends that cybersecurity teams ensure data is properly encoded before being included in HTML responses or page DOM. They also advise adjusting the content security policy to prevent browsers from fetching or executing scripts from unauthorized sources.
Updates to the initial report clarified that the vulnerabilities affected the website itself, not the underlying Gallup Poll infrastructure. Furthermore, it was confirmed that the bugs did not provide attackers with access to Gallup.com’s internal data or compromise sensitive information.
It’s important for organizations to remain vigilant against such vulnerabilities and promptly address any issues that could potentially be exploited by threat actors. By following best practices in web application security and regularly testing for vulnerabilities, companies can mitigate the risk of XSS attacks and safeguard their digital assets.
As of the latest update on Sept. 12, 2024, certain portions of the original article based on disputed information from the Checkmarx blog have been removed to ensure accuracy and integrity in reporting. This ongoing scrutiny and diligence in addressing security vulnerabilities highlight the importance of proactive cybersecurity measures in today’s digital landscape.