Project

General

Profile

Bug #9335

Stored XSS in HAProxy / haproxy_listeners_edit.php

Added by Jim Pingle 10 months ago. Updated 10 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
haproxy
Target version:
-
Start date:
02/18/2019
Due date:
% Done:

0%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

There is a stored XSS on haproxy_listeners.php via parameters submitted on haproxy_listeners_edit.php:

The following parameters are not encoded before display back to the user:

  • desc
  • table_actionsaclN

Since these are free-form, they can't be fully validated, so adding encoding is sufficient.

History

#1 Updated by Jim Pingle 10 months ago

  • Status changed from New to Feedback
  • Private changed from Yes to No

Also available in: Atom PDF