CE-717: Security patch v1.0.2.4 - fix XSS, upgrade Newtonsoft.Json, add deprecation notice

README.md

@@ -1,5 +1,27 @@
 # Tealium Sitecore Module
 
+> **⚠️ SECURITY WARNING**
+>
+> **This module contains a critical XSS (Cross-Site Scripting) vulnerability** that allows attackers to inject arbitrary JavaScript through user-controlled input (e.g., URL parameters). Exploitation can lead to session hijacking, credential theft, and other attacks.
+>
+> **See GitHub Issue [#4](https://github.com/Tealium/integration-sitecore/issues/4) for technical details.**
+
+> **🚫 DEPRECATED - February 2026**
+>
+> **This module is officially deprecated and will receive no further updates after version 1.0.2.4.**
+>
+> This final release (v1.0.2.4) addresses the critical XSS vulnerability and updates the Newtonsoft.Json dependency to resolve a known DoS vulnerability. However, **no further security patches or feature updates will be provided**.
+>
+> **Migration Recommended:**
+> - **Option 1:** Use modern Tealium tracking via standard JavaScript (iQ Tag Management) with proper server-side encoding of all dynamic values before rendering into HTML/JavaScript contexts.
+> - **Option 2:** Migrate to server-side EventStream connectors that eliminate client-side injection risks entirely.
+>
+> For assistance with migration, please contact Tealium Support or your Customer Success Manager.
+
+---
+
+## About
+
 This GitHub repository contains Tealium's Sitecore integration module and related files.  For importing directly into Sitecore, please download the latest package .zip file found in the "releases" section of this repository.
 
 ## License

Tealium.Sitecore.TagManagement/Data/UtagDataProvider.cs

@@ -2,6 +2,7 @@
 using System.Collections;
 using System.Collections.Generic;
 using System.Linq;
+using Newtonsoft.Json;
 using Sitecore;
 using Sitecore.Data;
 using Sitecore.Data.Items;
@@ -182,9 +183,17 @@ protected virtual object GetFieldValue(Item item, string name)
 
         protected virtual void AddUtag(IDictionary<string, string> utagData, string paramName, object paramValue)
         {
-            var value = paramValue is IEnumerable && !(paramValue is string) && !(paramValue is IEnumerable<char>)
-                ? "[" + string.Join(",", ((IEnumerable)paramValue).Cast<object>().Select(x => "\"" + x.ToString() + "\"")) + "]" 
-                : "\"" + paramValue + "\"";
+            string value;
+
+            if (paramValue is IEnumerable && !(paramValue is string) && !(paramValue is IEnumerable<char>))
+            {
+                var list = ((IEnumerable)paramValue).Cast<object>().ToList();
+                value = JsonConvert.SerializeObject(list);
+            }
+            else
+            {
+                value = JsonConvert.SerializeObject(paramValue);
+            }
 
             utagData.Add(paramName, value);
         }

Tealium.Sitecore.TagManagement/Properties/AssemblyInfo.cs

@@ -31,5 +31,5 @@
 // You can specify all the values or you can default the Build and Revision Numbers 
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.0.2.3")]
-[assembly: AssemblyFileVersion("1.0.2.3")]
+[assembly: AssemblyVersion("1.0.2.4")]
+[assembly: AssemblyFileVersion("1.0.2.4")]

Tealium.Sitecore.TagManagement/Tealium.Sitecore.TagManagement.csproj

@@ -63,8 +63,8 @@
       <HintPath>..\packages\Lucene.Net.3.0.3\lib\NET40\Lucene.Net.dll</HintPath>
       <Private>True</Private>
     </Reference>
-    <Reference Include="Newtonsoft.Json, Version=6.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed, processorArchitecture=MSIL">
-      <HintPath>..\packages\Newtonsoft.Json.6.0.8\lib\net45\Newtonsoft.Json.dll</HintPath>
+    <Reference Include="Newtonsoft.Json, Version=13.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed, processorArchitecture=MSIL">
+      <HintPath>..\packages\Newtonsoft.Json.13.0.3\lib\net45\Newtonsoft.Json.dll</HintPath>
       <Private>True</Private>
     </Reference>
     <Reference Include="Sitecore.Kernel, Version=8.1.0.0, Culture=neutral, processorArchitecture=MSIL">

Tealium.Sitecore.TagManagement/TealiumManager.cs

@@ -1,6 +1,9 @@
 using System;
+using System.Collections.Generic;
 using System.Text;
 using System.Web;
+using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
 using Sitecore;
 using Sitecore.Diagnostics;
 using Tealium.Sitecore.TagManagement.Data;
@@ -53,30 +56,35 @@ public virtual IHtmlString BodyInjections()
             }
 
             var sb = new StringBuilder("");
-
-			sb.AppendLine("<script type=\"text/javascript\">");
-			sb.AppendLine("var utag_data = {");
+            sb.AppendLine("<script type=\"text/javascript\">");
 
             try
             {
+                // Parse JSON-formatted values back to objects to avoid double-escaping
+                var utagDataObject = new Dictionary<string, object>();
                 foreach (var utagData in DataProvider.UtagData)
                 {
-                    sb.AppendLine(string.Format("  {0}: {1},", utagData.Key, utagData.Value));
+                    try
+                    {
+                        utagDataObject[utagData.Key] = JToken.Parse(utagData.Value);
+                    }
+                    catch
+                    {
+                        // If parsing fails, treat as a literal value
+                        utagDataObject[utagData.Key] = utagData.Value;
+                    }
                 }
-				// Remove the last comma for proper JSON output
-				if (sb.ToString().LastIndexOf(',') > 0)
-				{
-					sb.Remove(sb.ToString().LastIndexOf(','), 1);
-				}
-
+
+                // Serialize the entire object safely
+                var serializedData = JsonConvert.SerializeObject(utagDataObject);
+                sb.AppendLine("var utag_data = " + serializedData + ";");
             }
             catch (Exception ex)
             {
                 Log.Error("[TealliumManager]: " + ex.Message, ex, this);
+                sb.AppendLine("var utag_data = {};");
             }
 
-
-            sb.AppendLine("};");
             sb.AppendLine("</script>");
 
             sb.AppendLine(GenerateBodyScript());

Tealium.Sitecore.TagManagement/packages.config

@@ -2,7 +2,7 @@
 <packages>
   <package id="HtmlAgilityPack" version="1.4.6" targetFramework="net452" />
   <package id="Lucene.Net" version="3.0.3" targetFramework="net452" />
-  <package id="Newtonsoft.Json" version="6.0.8" targetFramework="net452" />
+  <package id="Newtonsoft.Json" version="13.0.3" targetFramework="net452" />
   <package id="SharpZipLib" version="0.86.0" targetFramework="net452" />
   <package id="Sitecore.Kernel" version="8.1.160519" targetFramework="net452" developmentDependency="true" />
   <package id="Sitecore.Logging" version="8.1.160519" targetFramework="net452" developmentDependency="true" />