I've already tried to report security issues privately via mail (message-id 20140520102828.30d346b6@xantho) on 20/05/2014 but didn't get any reply, thus I'm filing a public report.
The "addr" parameter is not escaped at all when used in <title>, so it may be abused to perform a XSS on the result page. This issue is due to missing escaping at lg.cgi:494 and whereabouts.
I've already tried to report security issues privately via mail (message-id 20140520102828.30d346b6@xantho) on 20/05/2014 but didn't get any reply, thus I'm filing a public report.
The "
addr" parameter is not escaped at all when used in<title>, so it may be abused to perform a XSS on the result page. This issue is due to missing escaping atlg.cgi:494and whereabouts.cc @emdel for credits
The text was updated successfully, but these errors were encountered: