Project

General

Profile

Bug #8486

pkg_mgr_install.php: output variable not encoded before display

Added by Jim Pingle about 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
Steve Beaver
Category:
Package System
Target version:
2.4.3-p1
Start date:
04/26/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.4.x
Affected Architecture:
All

Description

It is possible to inject arbitrary html/JS into pkg_mgr_install.php on POST through the output parameter, which is not encoded before display

Associated revisions

Revision 687e50fd (diff)
Added by Steve Beaver about 3 years ago

Fixed #8486 via htmlspecialchars()

Revision b662c5e4 (diff)
Added by Steve Beaver about 3 years ago

Fixed #8486 via htmlspecialchars()

(cherry picked from commit 687e50fd439179ba61a518c7b68c91b168e56e50)

Revision 5c856a1d (diff)
Added by Steve Beaver about 3 years ago

Fixed #8486 via htmlspecialchars()

(cherry picked from commit 687e50fd439179ba61a518c7b68c91b168e56e50)

Revision 72f363ed (diff)
Added by Steve Beaver about 3 years ago

Fixed #8486 via htmlspecialchars()

(cherry picked from commit 687e50fd439179ba61a518c7b68c91b168e56e50)

History

#1 Updated by Steve Beaver about 3 years ago

  • Assignee changed from Renato Botelho to Steve Beaver

#2 Updated by Steve Beaver about 3 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#3 Updated by Jim Pingle about 3 years ago

  • Status changed from Feedback to Resolved

Unable to reproduce with the fix applied. Looks good to me.

#4 Updated by Jim Pingle about 3 years ago

  • Target version changed from 2.4.4 to 2.4.3-p1

#5 Updated by Jim Pingle about 3 years ago

  • Private changed from Yes to No

Also available in: Atom PDF