Project

General

Profile

Actions

Bug #9554

closed

Stored XSS in ACME Package (version 0.5.7_1) /acme/acme_accountkeys_edit.php

Added by Chi Tran over 5 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
ACME
Target version:
-
Start date:
05/25/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
2.4.4-p3
Affected Plus Version:
Affected Architecture:
amd64

Description

Stored XSS vulnerability occurs due to input validation errors in "Name" and "Description" fields when adding new account key.

Remediation:
- HTML Escape on those parameters would probably fix the issue.

Proof of Concept:
- See attached picture


Files

Stored XSS.PNG (34.4 KB) Stored XSS.PNG Chi Tran, 05/25/2019 04:05 PM
Actions

Also available in: Atom PDF