Project

General

Profile

Actions
Copy link

Bug #16413

closed

Potential stored XSS in the Status_Traffic_Totals package

Added by Jim Pingle 6 days ago. Updated 3 days ago.

Status:
Resolved
Priority:
High
Assignee:
Jim Pingle
Category:
Status Traffic Totals
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

There is a potential stored cross-site scripting vulnerability in the Status_Traffic_Totals package:

In /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is printed back to the user without validation or encoding. This value can be saved as a default when visiting the Status Traffic Totals page.

Reported by Alex Williams of Pellera Technology via VulnCheck, CVE-2025-34174

Actions
Copy link
 #2

Updated by Jim Pingle 3 days ago

  • Description updated (diff)
Actions
Copy link
 #3

Updated by Jim Pingle 3 days ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

MR Merged

Actions
Copy link
 #4

Updated by Jim Pingle 3 days ago

  • Private changed from Yes to No

New package build is now published and available for Plus 25.07.1, Plus 25.07, CE 2.8.1, and CE 2.8.0.

Actions
Copy link

Also available in: Atom PDF