Merge pull request #14419 from rvermeulen/rvermeulen/javascript-adjust-security-severity

erik-krogh · web-flow · commit 14e51627c52b · 2023-11-14T21:34:25.000+01:00
JavaScript: Adjust XSS and log injection query severities
diff --git a/javascript/ql/src/Security/CWE-079/ReflectedXss.ql b/javascript/ql/src/Security/CWE-079/ReflectedXss.ql
@@ -4,7 +4,7 @@
  *              a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision high
  * @id js/reflected-xss
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-079/StoredXss.ql b/javascript/ql/src/Security/CWE-079/StoredXss.ql
@@ -4,7 +4,7 @@
  *              a stored cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision high
  * @id js/stored-xss
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-079/Xss.ql b/javascript/ql/src/Security/CWE-079/Xss.ql
@@ -4,7 +4,7 @@
  *              a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision high
  * @id js/xss
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-117/LogInjection.ql b/javascript/ql/src/Security/CWE-117/LogInjection.ql
@@ -4,7 +4,7 @@
  *              insertion of forged log entries by a malicious user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 7.8
+ * @security-severity 6.1
  * @precision medium
  * @id js/log-injection
  * @tags security
diff --git a/javascript/ql/src/change-notes/2023-10-09-adjust-xss-and-log-injection-severity.md b/javascript/ql/src/change-notes/2023-10-09-adjust-xss-and-log-injection-severity.md
@@ -0,0 +1,6 @@
+---
+category: queryMetadata
+---
+
+* Lower the severity of log-injection to medium.
+* Increase the severity of XSS to high.
