Bug #8486
pkg_mgr_install.php: output variable not encoded before display
Status:
Resolved
Priority:
Very High
Assignee:
Category:
Package System
Target version:
Start date:
04/26/2018
Due date:
% Done:
100%
Estimated time:
Affected Version:
2.4.x
Affected Architecture:
All
Description
It is possible to inject arbitrary html/JS into pkg_mgr_install.php on POST through the output parameter, which is not encoded before display
Associated revisions
Fixed #8486 via htmlspecialchars()
(cherry picked from commit 687e50fd439179ba61a518c7b68c91b168e56e50)
Fixed #8486 via htmlspecialchars()
(cherry picked from commit 687e50fd439179ba61a518c7b68c91b168e56e50)
Fixed #8486 via htmlspecialchars()
(cherry picked from commit 687e50fd439179ba61a518c7b68c91b168e56e50)
History
#1
Updated by Steve Beaver almost 3 years ago
- Assignee changed from Renato Botelho to Steve Beaver
#2
Updated by Steve Beaver almost 3 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 687e50fd439179ba61a518c7b68c91b168e56e50.
#3
Updated by Jim Pingle almost 3 years ago
- Status changed from Feedback to Resolved
Unable to reproduce with the fix applied. Looks good to me.
#4
Updated by Jim Pingle over 2 years ago
- Target version changed from 2.4.4 to 2.4.3-p1
#5
Updated by Jim Pingle over 2 years ago
- Private changed from Yes to No
Fixed #8486 via htmlspecialchars()