Project

General

Profile

Bug #7876

Potential XSS in status_monitoring.php

Added by Jim Pingle over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Category:
Status_Monitoring
Target version:
Start date:
09/19/2017
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

The "view" variable in status_monitoring.php is taken from $_GET and used in a hidden input ("view-title") without encoding, thus user-supplied input from GET is being put directly in the resulting HTML, resulting in an XSS vector.

History

#1 Updated by Jim Pingle over 1 year ago

  • Status changed from Confirmed to Feedback

Fixes pushed to the freebsd-ports repo:

FreeBSD-ports/devel f044c1e4e3f647028c57ae1a572dc6377e555ff3
FreeBSD-ports/RELENG_2_4_0 c919d10d1194da689a18905801bfe86ceef82230
FreeBSD-ports/RELENG_2_3 0db1ce65a93b063c268aaed477252197d566da03
FreeBSD-ports/RELENG_2_3_4 c3c919d640ff0a7319b8f080184bb90dabc7807e

#2 Updated by Jim Pingle over 1 year ago

  • % Done changed from 0 to 100

#3 Updated by Jim Pingle over 1 year ago

  • Status changed from Feedback to Resolved

Confirmed fixed on the latest snapshot.

#4 Updated by Jim Pingle over 1 year ago

  • Private changed from Yes to No

Also available in: Atom PDF