The in ajax.render.php?operation=wizard_helper page don't properly escape the passed parameters, allowing XSS.
Fixed in 3.0.0 (october 2021)
Combodo ref N°4362
Redshell (https://github.com/RedShellSec)
If you have any questions or comments about this advisory: Email us at itop-security@combodo.com
Impact
The in ajax.render.php?operation=wizard_helper page don't properly escape the passed parameters, allowing XSS.
Patches
Fixed in 3.0.0 (october 2021)
References
Combodo ref N°4362
Credits
Redshell (https://github.com/RedShellSec)
For more information
If you have any questions or comments about this advisory:
Email us at itop-security@combodo.com