Project

General

Profile

Actions
Copy link

Bug #6326

closed

pkg.php outputs saved data without encoding, leading to a potential stored XSS

Added by Jim Pingle almost 8 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
Package System
Target version:
2.3.1
Start date:
05/06/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

pkg.php displays lists of items saved by some packages. In the list, the item data entered by users is printed without encoding. Packages that do not validate the data prior to saving, such as those with free-form description fields, can end up with a stored XSS. The shellcmd package is one example, but it also affects several others (squid, squidGuard, Quagga, OpenBGPD, pfBlocker, and more)

Fixed by:

RELENG_2_2 e079998e9d063d826d341b2b3dd8a53458a67757
RELENG_2_3_0 828ec6af040acde23d2df98b572df708aa938532
RELENG_2_3 45c50e6fa4d5b92859cfaf979b76cf156c07d8d4
master d6ab749630ab5fa4a1d3fe6e58ce47452217cdbc

Actions
Copy link
 #1

Updated by Jim Pingle about 7 years ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF