Actions
Bug #11616
closedPotential stored XSS vulnerability in services_wol.php
Start date:
03/03/2021
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
All
Affected Architecture:
Description
There is a potential stored XSS in services_wol.php.
When waking all devices (services_wol.php?wakeall=true
) the page prints the WOL entry description without encoding, which can result in a stored XSS vulnerability.
Steps to reproduce:
- Services > Wake on LAN
- Create a WOL entry with a description such as
<script>alert(1)</script>
- Services > Wake on LAN
- Click "Wake All Devices"
Updated by Jim Pingle almost 4 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 2e94828cd021a8f0fd1a89475f6e0f4bb2f5805f.
Updated by Jim Pingle over 3 years ago
- Status changed from Feedback to Closed
Fixed and confirmed fixed multiple times.
Actions