Project

General

Profile

Bug #9507

Potential XSS in WOL widget (widgets/widgets/wage_on_lan_widget.php) via WOL entry description

Added by Jim Pingle 11 months ago. Updated 11 months ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Dashboard
Target version:
Start date:
05/08/2019
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

The WOL widget, widgets/widgets/wage_on_lan_widget.php, does not encode the description before display, so user-entered free-form text such as rule descriptions containing HTML can be interpreted by the browser.

Associated revisions

Revision 5789a02e (diff)
Added by Jim Pingle 11 months ago

Encode descr in the WOL widget. Fixes #9507

Revision 5b5bb248 (diff)
Added by Jim Pingle 11 months ago

Encode descr in the WOL widget. Fixes #9507

(cherry picked from commit 5789a02eab9b2ebbcb1f28d1d037b408b436a853)

History

#1 Updated by Jim Pingle 11 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#2 Updated by Jim Pingle 11 months ago

  • Target version changed from 2.5.0 to 2.4.4-p3

#3 Updated by Jim Pingle 11 months ago

  • Parent task changed from #9398 to #9515

#4 Updated by Jim Pingle 11 months ago

  • Status changed from Feedback to Resolved

Unable to reproduce on -p3. Looks good.

#5 Updated by Jim Pingle 11 months ago

  • Private changed from Yes to No

Also available in: Atom PDF