Actions
Bug #16949
openPotential XSS via Backup package entry name and path values
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
Description
The Backup package does not validate the name or path values for Backup location entries. It also prints the name and path values without encoding, leading to a potential XSS.
Reported by: @lujiefsi
Updated by Jim Pingle about 10 hours ago
- Description updated (diff)
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
- Added validation for backup entry values such as name and path to address XSS concerns.
- Added encoding before display for name, path, and other values.
- Rewrote action handling to use only POST for all actions so it does not take destructive actions via GET requests
- Cleaned up various other concerns and redundant code
New packages are building now for Plus 26.03.1, CE 2.8.1, and will be in snapshots next time they run.
Updated by Jim Pingle about 8 hours ago
- Private changed from Yes to No
Updated packages are now available.
Actions