This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.

Is Cypher statement secured?

ri8ika
Graph Voyager

‎04-28-2019 11:26 PM

I was browsing some content for research and found this which states:

The neo4j-browser is vulnerable to cross-site scripting (XSS) attacks. The vulnerability allows a malicious attacker to execute code code through a incorrectly sanitized Cypher Statement.

Is this true? If yes, what we should care for?

0 Kudos
Reply
3 REPLIES 3

elaine_rosenber
Neo4j
Neo4j

‎04-29-2019 06:06 AM

What do you see when you execute this?

curl -I -k https://localhost:7473/browser/

Elaine

0 Kudos
Reply

elaine_rosenber
Neo4j
Neo4j

‎04-29-2019 06:46 AM

The article that you are referencing is about 3.0.0-M02. Our browser has been updated since that release with CORS headers, etc. so this should no longer be an issue.

Elaine

0 Kudos
Reply

sim51
Node Link

‎04-29-2019 06:52 AM

Hi,

If you go on this page https://www.sourceclear.com/vulnerability-database/libraries/neo4j-browser/java/maven/lid-384778 , you will see that the affected version was an old one, and that the latest version is not affected according to this website.

You can make some tests by yourself if you want by running this kind of query :
RETURN "><script>alert('toto')</script>" AS html

Cheers

0 Kudos
Reply
Nodes 2022
Nodes
NODES 2022, Neo4j Online Education Summit

All the sessions of the conference are now available online

Watch replays