Project

General

Profile

Actions
Copy link

Bug #15927

closed

Potential XSS in AutoConfigBackup backup list on ``services_acb.php``

Added by Jim Pingle 9 months ago. Updated 2 months ago.

Status:
Resolved
Priority:
High
Assignee:
Jim Pingle
Category:
Auto Configuration Backup
Target version:
2.8.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
25.07
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

The page at ``services_acb.php`` displays the "reason" string when listing backup entries from the server without encoding, which is a potential XSS vector.

The reason string for a backup entry is encoding when stored, but this encoding happens client-side so it may not always happen as expected. The page should escape the string before display to avoid any potential problems.

Actions
Copy link
 #1

Updated by Jim Pingle 9 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #3

Updated by Christopher Cope 9 months ago

  • Status changed from Feedback to Closed

Tested on

25.03-DEVELOPMENT (amd64)
built on Fri Dec 13 6:00:00 UTC 2024
FreeBSD 15.0-CURRENT

The fix is applied and the reason string is escaped. Marking as resolved.

Actions
Copy link
 #4

Updated by Jim Pingle 9 months ago

  • Status changed from Closed to Feedback

Still need to wait for feedback from the original reporter to be sure it's solved on their side before completely closing.

Actions
Copy link
 #5

Updated by Jim Pingle 6 months ago

  • Status changed from Feedback to Resolved
Actions
Copy link
 #6

Updated by Jim Pingle 4 months ago

  • Private changed from Yes to No
Actions
Copy link
 #7

Updated by Jim Pingle 2 months ago

  • Plus Target Version changed from 25.03 to 25.07
Actions
Copy link

Also available in: Atom PDF