Actions
Bug #9554
closedStored XSS in ACME Package (version 0.5.7_1) /acme/acme_accountkeys_edit.php
Start date:
05/25/2019
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Affected Version:
2.4.4-p3
Affected Plus Version:
Affected Architecture:
amd64
Description
Stored XSS vulnerability occurs due to input validation errors in "Name" and "Description" fields when adding new account key.
Remediation:
- HTML Escape on those parameters would probably fix the issue.
Proof of Concept:
- See attached picture
Files
Actions