admin/profile.php At xss #1234

wangai666 · 2017-06-28T02:37:37Z

Display Name: where there is xss
payload: "><script>alert(/xss/)</script>

fgeek · 2017-07-01T11:44:04Z

CVE-2017-10673 has been assigned for this issue. Please use it in the commit message and ChangeLog, thanks.

tablatronix · 2017-07-01T16:50:47Z

This has not been verified, nor reproduced in 3.3.x

wangai666 · 2017-07-01T16:54:38Z

in GetSimpleCMS - 3.4.0a

tablatronix · 2017-07-01T17:00:43Z

Thanks

Yes known issue in DEV branch, settings.php xss fixed were not merged into new profile.php and have to be manually repatched. profile.php does not exist in stable.

There is no current dev release for master branch, CVE in invalid for stable.

#797

reapply basic xss filtering on profile.php

wangai666 · 2017-07-01T17:05:29Z

blunt，Hope to learn more with you!

tablatronix added Bug SECURITY labels Jun 29, 2017

tablatronix added the DEV label Jul 1, 2017

tablatronix added this to the 3.4.0 milestone Jul 1, 2017

tablatronix closed this as completed in e4433b9 Jul 3, 2017

tablatronix added this to Dev Bugs in 3.4 Release Tasks Dec 23, 2017

tablatronix removed this from Dev Outstanding in 3.4 Release Tasks Dec 23, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

admin/profile.php At xss #1234

admin/profile.php At xss #1234

wangai666 commented Jun 28, 2017 •

edited

fgeek commented Jul 1, 2017 •

edited

tablatronix commented Jul 1, 2017

wangai666 commented Jul 1, 2017

tablatronix commented Jul 1, 2017 •

edited

wangai666 commented Jul 1, 2017

admin/profile.php At xss #1234

admin/profile.php At xss #1234

Comments

wangai666 commented Jun 28, 2017 • edited

fgeek commented Jul 1, 2017 • edited

tablatronix commented Jul 1, 2017

wangai666 commented Jul 1, 2017

tablatronix commented Jul 1, 2017 • edited

wangai666 commented Jul 1, 2017

wangai666 commented Jun 28, 2017 •

edited

fgeek commented Jul 1, 2017 •

edited

tablatronix commented Jul 1, 2017 •

edited