Project

General

Profile

Actions

Bug #16949

open

Potential XSS via Backup package entry name and path values

Added by Jim Pingle about 10 hours ago. Updated about 8 hours ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
Backup
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

The Backup package does not validate the name or path values for Backup location entries. It also prints the name and path values without encoding, leading to a potential XSS.

Reported by: @lujiefsi

Actions #1

Updated by Jim Pingle about 10 hours ago

  • Description updated (diff)
  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
  • Added validation for backup entry values such as name and path to address XSS concerns.
  • Added encoding before display for name, path, and other values.
  • Rewrote action handling to use only POST for all actions so it does not take destructive actions via GET requests
  • Cleaned up various other concerns and redundant code

New packages are building now for Plus 26.03.1, CE 2.8.1, and will be in snapshots next time they run.

Actions #2

Updated by Jim Pingle about 8 hours ago

  • Private changed from Yes to No

Updated packages are now available.

Actions

Also available in: Atom PDF