Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple XSS #7962

Closed
thefLink opened this issue Dec 14, 2017 · 2 comments
Closed

Multiple XSS #7962

thefLink opened this issue Dec 14, 2017 · 2 comments
Labels
Issue Stale (automatic label) This issue is stale because it has been open 1 year with no activity. Remove this label to keep open

Comments

@thefLink
Copy link

thefLink commented Dec 14, 2017

Hello,

Several reflected XSS can be found in version 6.0.4.
This is because the id parameter is not properly validated in the function:

GETPOST('id')

Therefore php code like

print ?id='.(GETPOST('id')

Will lead to reflected xss as it can be seen in the module 'card.php':

dolibarr-6.0.4/htdocs/product/stats/card.php?id=lol"> <script> alert ( 123 ) </script>

The same bug exists in various other modules

Cheers

@thefLink
Copy link
Author

Any updates here?

@github-actions
Copy link

github-actions bot commented Mar 1, 2020

This issue is stale because it has been open 1 year with no activity. If this is a bug, please comment to confirm it is still present on latest stable version. if this is a feature request, please comment to notify the request is still relevant and not yet covered by latest stable version. Without comment, this issue will be closed automatically by stale bot in 15 days.

@github-actions github-actions bot added the Issue Stale (automatic label) This issue is stale because it has been open 1 year with no activity. Remove this label to keep open label Mar 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Issue Stale (automatic label) This issue is stale because it has been open 1 year with no activity. Remove this label to keep open
Projects
None yet
Development

No branches or pull requests

1 participant