Actions
Bug #7998
closedXSS in widgetkey parameter of multi-instance dashboard widgets
Start date:
10/24/2017
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.x
Affected Architecture:
All
Description
Widgets that populate $widgetkey from $_REQUEST are vulnerable to XSS
Test query: /widgets/widgets/interfaces.widget.php?widgetkey=<script>alert("XSS")</script>
Only affects 2.4.x
Updated by Jim Pingle about 7 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset e3907730bdcc879f968d5d917ec9ac6567518e58.
Updated by Jim Pingle about 7 years ago
- Status changed from Feedback to Resolved
Actions