Bug #15224
closed``services_acb_settings.php`` does not fully validate value of ``frequency``, uses value without encoding
100%
Description
The value supplied by the user for the frequency
parameter on services_acb_settings.php
is not fully validated, is stored in config.xml
, and is then used in JavaScript without encoding.
This could lead to a potential stored XSS vulnerability where an attacker could make the change and then have another administrator visit the page at a later time.
Due to the location where the variable is used in JavaScript, the contents of the submitted string must break out of its current location using a value such as ")); alert(1);//
The user must be logged in and have sufficient privileges to access services_acb_settings.php
and make changes to the configuration.
To me, I already have a fix tested and ready.
Updated by Jim Pingle 11 months ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset 6f59a7f9fdfe3703667819fcbbd8b6f8cbec0d9f.
Updated by Christopher Cope 10 months ago
- Status changed from Feedback to Resolved
I can reproduce this on
23.09.1-RELEASE (amd64) built on Wed Dec 6 20:22:00 UTC 2023 FreeBSD 14.0-CURRENT
Testing on
24.03-DEVELOPMENT (amd64) built on Thu Feb 15 6:00:00 UTC 2024 FreeBSD 15.0-CURRENT
and I can no longer trigger it. Marking resolved.