CVE-2021-44217: 
Python vulnerability analysis and mitigation

A stored Cross-site scripting (XSS) vulnerability was discovered in Ericsson CodeChecker through version 6.18.0. The vulnerability exists in the comments component of the reports viewer, where remote attackers can inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API. The vulnerability was disclosed on January 18, 2022 (NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has a CVSS v3.1 Base Score of 6.1 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability stems from insufficient validation of user input in the comments component, allowing attackers to inject malicious web scripts (NVD).

The vulnerability can lead to session hijacking and full account takeover. Since CodeChecker has a permission system to isolate users with different privileges, an attacker with low privileges (such as a guest account) can steal secret cookies of superusers or other sensitive information from scanning reports (Exploit POC).

The vulnerability was fixed in version 6.18.2 through proper escaping of values for v-html attributes. The server now returns the escaped version of these values which can be safely rendered on the UI (GitHub PR).