Project

General

Profile

Actions

Bug #8486

closed

pkg_mgr_install.php: output variable not encoded before display

Added by Jim Pingle over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
-
Category:
Package System
Target version:
Start date:
04/26/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.x
Affected Architecture:
All

Description

It is possible to inject arbitrary html/JS into pkg_mgr_install.php on POST through the output parameter, which is not encoded before display

Actions

Also available in: Atom PDF