Is Cypher statement secured?

I was browsing some content for research and found this which states:

The neo4j-browser is vulnerable to cross-site scripting (XSS) attacks. The vulnerability allows a malicious attacker to execute code code through a incorrectly sanitized Cypher Statement.

Is this true? If yes, what we should care for?

What do you see when you execute this?

curl -I -k https://localhost:7473/browser/

Elaine

The article that you are referencing is about 3.0.0-M02. Our browser has been updated since that release with CORS headers, etc. so this should no longer be an issue.

Elaine

Hi,

If you go on this page https://www.sourceclear.com/vulnerability-database/libraries/neo4j-browser/java/maven/lid-384778 , you will see that the affected version was an old one, and that the latest version is not affected according to this website.

You can make some tests by yourself if you want by running this kind of query :
RETURN "><script>alert('toto')</script>" AS html

Cheers