Cron package needs basic input validation and output encoding
Plus Target Version:
Affected Plus Version:
The cron package does not validate its inputs nor does it encode its output. This can lead to a potential stored XSS.
The time-based fields can be validated against a basic regex to ensure they are the correct form (e.g. "1", "1,2", "*", "*/1", "1-3", etc).
The user field can be validated against the operating system.
The command field cannot be validated as it could be a single command with unknown parameters or even multiple commands using pipes, redirection, etc.
This is not a critical security issue as anyone with access to the Cron package can already run any command as any OS user, so they gain nothing by taking advantage of this.