Project

General

Profile

Actions

Bug #8259

closed

Range description is not encoded in firewall_schedule.php

Added by Jim Pingle over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Very Low
Assignee:
Category:
Rules / NAT
Target version:
Start date:
01/05/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

On firewall_schedule.php the rangedescr for time ranges is not encoded before display. However, an invalid entry cannot be made using the GUI to take advantage of the issue.

Achieving an XSS requires manually modifying a backup to trigger the issue, and if someone can restore a manually modified backup, there are many worse things they could do. Thus it is not considered a viable threat.

Actions #1

Updated by Jim Pingle over 3 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Resolved

OK now.

Actions

Also available in: Atom PDF