Project

General

Profile

Actions

Bug #7998

closed

XSS in widgetkey parameter of multi-instance dashboard widgets

Added by Jim Pingle about 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Category:
Dashboard
Target version:
Start date:
10/24/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.x
Affected Architecture:
All

Description

Widgets that populate $widgetkey from $_REQUEST are vulnerable to XSS

Test query: /widgets/widgets/interfaces.widget.php?widgetkey=<script>alert("XSS")</script>

Only affects 2.4.x

Actions

Also available in: Atom PDF