2020-01-20
Chatbot with IBM Watson is a plugin for WordPress allowing administrators to include a "chatbot" functionality to interface with the Watson service in the IBM Cloud. It was developed by IBM Cognitive Class and has at least 2,000 active installations.
Download Link: Chatbot with IBM Watson
A DOM based XSS vulnerability has been identified in the chat functionality of the Watson Assistant plugin for WordPress, allowing a remote attacker to execute JavaScript in the victims browser by tricking the victim into pasting HTML inside the chat box.
Hooper Labs takes security issues seriously. We believe in working with relevant stakeholders to achieve coordinated disclosure within a reasonable period of time. We also adhere to the industry-standard 90-day disclosure deadline, where vendors are notified of vulnerabilities immediately, with details shared to the public after 90 days (or sooner if the issues are resolved earlier).
Common Vulnerabilities and Exposures (CVEs) are an industry standard for identifying vulnerabilities (link). This system is a method for reference and tracking of publicly-known exposures. A CVE is a way to uniquely reference vulnerabilities across systems and Mitre Corporation is the primary CVE Numbering Authority (CNA) for the program. We believe that users have a right to know their exposures in order to make informed risk decisions.
Hooper Labs does not participate in bug bounty programs, but instead relies on responsible disclosure (link). Effectively communicating vulnerabilities and risks to the vendor, users, and public ensure that risk can be documented, calculated, and mitigated. We hope that through this process that the Information Domain may be marginally safer.