CVE-2018-1000516

Vulnerability

The Galaxy Project Galaxy version v14.10 contains a cross-site scripting (XSS) vulnerability (CWE-79) because many templates used in the Galaxy server did not properly sanitize user input [2]. This allows injected JavaScript to be reflected or stored in page components that users interact with. The vulnerability has been fixed in v14.10.1 and v15.01 [1][2].

Exploitation

To exploit this vulnerability, an attacker must craft a URL or other input containing arbitrary JavaScript code and convince a victim (a Galaxy user or administrator) to access a link or interact with a page component that includes the injected code [2]. No further authentication or privileges are required beyond the victim's normal access.

Impact

Successful exploitation leads to arbitrary JavaScript code execution in the context of the victim's browser session [1][2]. This can result in session hijacking, data theft, or unauthorized actions performed on behalf of the victim, potentially compromising both user and administrative accounts.

Mitigation

Administrators are strongly advised to update Galaxy to version v14.10.1, v15.01, or later [1][2]. The fix is available via the stable branch tags latest_2015.01.13 and latest_2014.10.06 [1]. No workaround is documented for unpatched versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.