Fix XSS in adm_config_report.php (CVE-2018-6403)

Nguyen Tri Tuan reported this vulnerability, allowing an attacker to inject arbitrary code through a crafted 'value' parameter. Prevent the attack by sanitizing the variable before output. Fixes #23906
mantisbt · Jan 31, 2018 · c4afcb1 · c4afcb1
1 parent 2118845
commit c4afcb1
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/adm_config_report.php b/adm_config_report.php
@@ -131,7 +131,7 @@ function print_config_value_as_string( $p_type, $p_value, $p_for_display = true
 	if( $p_for_display ) {
 		echo '<pre id="adm-config-value">' . string_attribute( $t_output ) . '</pre>';
 	} else {
-		echo $t_output;
+		echo string_attribute( $t_output );
 	}
 }