Actions
Bug #7998
closed
XSS in widgetkey parameter of multi-instance dashboard widgets
Start date:
10/24/2017
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.x
Affected Architecture:
All
Description
Widgets that populate $widgetkey from $_REQUEST are vulnerable to XSS
Test query: /widgets/widgets/interfaces.widget.php?widgetkey=<script>alert("XSS")</script>
Only affects 2.4.x
Updated by
Actions