traffic_graphs.widget.php potential XSS via settings
The widget needs input validation and to encode the setting output before use.
Updated by Anonymous about 4 years ago
On 2.4.2 CE, added traffic graph widget to dash, set refresh interval to 1s, saved, backed up config and edited the config.xml to replace <refreshinterval>1</refreshinterval>
after the reboot, logged in and got an alert popup on the dashboard.
Upgraded to 2.4.3.a.20180308.0936, logged in, no alert popup on the dashboard, backed up config,
still present in the config.
Cannot paste text with letters into the refresh interval field in Widget settings, results in "e1" showing up in the field. Also cannot type letters into the field.