From 737bce4cc5316666d4b6d75b20c5f13741158b03 Mon Sep 17 00:00:00 2001 From: glean-code-writer Date: Thu, 26 Feb 2026 20:15:51 +0000 Subject: [PATCH] CE-717: Security patch v1.0.2.4 - fix XSS, upgrade Newtonsoft.Json, add deprecation notice Generated by Glean Code Writer --- README.md | 22 +++++++++++++ .../Data/UtagDataProvider.cs | 15 +++++++-- .../Properties/AssemblyInfo.cs | 4 +-- .../Tealium.Sitecore.TagManagement.csproj | 4 +-- .../TealiumManager.cs | 32 ++++++++++++------- .../packages.config | 2 +- 6 files changed, 59 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 38f285d..5aed9c1 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,27 @@ # Tealium Sitecore Module +> **⚠️ SECURITY WARNING** +> +> **This module contains a critical XSS (Cross-Site Scripting) vulnerability** that allows attackers to inject arbitrary JavaScript through user-controlled input (e.g., URL parameters). Exploitation can lead to session hijacking, credential theft, and other attacks. +> +> **See GitHub Issue [#4](https://github.com/Tealium/integration-sitecore/issues/4) for technical details.** + +> **🚫 DEPRECATED - February 2026** +> +> **This module is officially deprecated and will receive no further updates after version 1.0.2.4.** +> +> This final release (v1.0.2.4) addresses the critical XSS vulnerability and updates the Newtonsoft.Json dependency to resolve a known DoS vulnerability. However, **no further security patches or feature updates will be provided**. +> +> **Migration Recommended:** +> - **Option 1:** Use modern Tealium tracking via standard JavaScript (iQ Tag Management) with proper server-side encoding of all dynamic values before rendering into HTML/JavaScript contexts. +> - **Option 2:** Migrate to server-side EventStream connectors that eliminate client-side injection risks entirely. +> +> For assistance with migration, please contact Tealium Support or your Customer Success Manager. + +--- + +## About + This GitHub repository contains Tealium's Sitecore integration module and related files. For importing directly into Sitecore, please download the latest package .zip file found in the "releases" section of this repository. ## License diff --git a/Tealium.Sitecore.TagManagement/Data/UtagDataProvider.cs b/Tealium.Sitecore.TagManagement/Data/UtagDataProvider.cs index 9da71b0..cf61480 100755 --- a/Tealium.Sitecore.TagManagement/Data/UtagDataProvider.cs +++ b/Tealium.Sitecore.TagManagement/Data/UtagDataProvider.cs @@ -2,6 +2,7 @@ using System.Collections; using System.Collections.Generic; using System.Linq; +using Newtonsoft.Json; using Sitecore; using Sitecore.Data; using Sitecore.Data.Items; @@ -182,9 +183,17 @@ protected virtual object GetFieldValue(Item item, string name) protected virtual void AddUtag(IDictionary utagData, string paramName, object paramValue) { - var value = paramValue is IEnumerable && !(paramValue is string) && !(paramValue is IEnumerable) - ? "[" + string.Join(",", ((IEnumerable)paramValue).Cast().Select(x => "\"" + x.ToString() + "\"")) + "]" - : "\"" + paramValue + "\""; + string value; + + if (paramValue is IEnumerable && !(paramValue is string) && !(paramValue is IEnumerable)) + { + var list = ((IEnumerable)paramValue).Cast().ToList(); + value = JsonConvert.SerializeObject(list); + } + else + { + value = JsonConvert.SerializeObject(paramValue); + } utagData.Add(paramName, value); } diff --git a/Tealium.Sitecore.TagManagement/Properties/AssemblyInfo.cs b/Tealium.Sitecore.TagManagement/Properties/AssemblyInfo.cs index e2adffb..e30d4fa 100755 --- a/Tealium.Sitecore.TagManagement/Properties/AssemblyInfo.cs +++ b/Tealium.Sitecore.TagManagement/Properties/AssemblyInfo.cs @@ -31,5 +31,5 @@ // You can specify all the values or you can default the Build and Revision Numbers // by using the '*' as shown below: // [assembly: AssemblyVersion("1.0.*")] -[assembly: AssemblyVersion("1.0.2.3")] -[assembly: AssemblyFileVersion("1.0.2.3")] +[assembly: AssemblyVersion("1.0.2.4")] +[assembly: AssemblyFileVersion("1.0.2.4")] diff --git a/Tealium.Sitecore.TagManagement/Tealium.Sitecore.TagManagement.csproj b/Tealium.Sitecore.TagManagement/Tealium.Sitecore.TagManagement.csproj index dff14cd..60431da 100755 --- a/Tealium.Sitecore.TagManagement/Tealium.Sitecore.TagManagement.csproj +++ b/Tealium.Sitecore.TagManagement/Tealium.Sitecore.TagManagement.csproj @@ -63,8 +63,8 @@ ..\packages\Lucene.Net.3.0.3\lib\NET40\Lucene.Net.dll True - - ..\packages\Newtonsoft.Json.6.0.8\lib\net45\Newtonsoft.Json.dll + + ..\packages\Newtonsoft.Json.13.0.3\lib\net45\Newtonsoft.Json.dll True diff --git a/Tealium.Sitecore.TagManagement/TealiumManager.cs b/Tealium.Sitecore.TagManagement/TealiumManager.cs index 50175fc..daa83bd 100755 --- a/Tealium.Sitecore.TagManagement/TealiumManager.cs +++ b/Tealium.Sitecore.TagManagement/TealiumManager.cs @@ -1,6 +1,9 @@ using System; +using System.Collections.Generic; using System.Text; using System.Web; +using Newtonsoft.Json; +using Newtonsoft.Json.Linq; using Sitecore; using Sitecore.Diagnostics; using Tealium.Sitecore.TagManagement.Data; @@ -53,30 +56,35 @@ public virtual IHtmlString BodyInjections() } var sb = new StringBuilder(""); - - sb.AppendLine(""); sb.AppendLine(GenerateBodyScript()); diff --git a/Tealium.Sitecore.TagManagement/packages.config b/Tealium.Sitecore.TagManagement/packages.config index aad9ea6..72e9103 100755 --- a/Tealium.Sitecore.TagManagement/packages.config +++ b/Tealium.Sitecore.TagManagement/packages.config @@ -2,7 +2,7 @@ - +