Bug #7999
Updated by Jim Pingle about 7 years ago
On diag_dns.php the 'hostname' parameter is sent back to the user without encoding in a JavaScript block, leading to an XSS
Affects 2.3.x and 2.4.x
To test, enter this for the hostname:
<pre>
0.0.0.0";alert("diag_dns XSS")//
</pre>