Actions
Bug #16770
closed
Potential XSS in RSS Widget feed content post titles
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
26.07
Release Notes:
Default
Affected Version:
Affected Architecture:
Description
The RSS widget library does not encode post titles before display as it does with other content. As a consequence, if a feed configured in the RSS widget supplies content with a malicious payload in a post title, it could be delivered to the user's browser and executed.
A sample feed is attached.
Files
Updated by Jim Pingle 3 days ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset commit:9363ac5b8651a1c7a333180425ce7719070f95f9.
Updated by Jim Pingle 3 days ago
- File badfeed.xml badfeed.xml added
This is a basic feed that contains a post entry title which triggers the problem
Updated by Jim Pingle 1 day ago
- Status changed from Feedback to Resolved
Patch is available in the Recommended Patches section of the latest System Patches Package version.
Actions