Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

filebrowser arbitrary js injection #1059

Closed
tablatronix opened this issue Jun 16, 2015 · 1 comment
Closed

filebrowser arbitrary js injection #1059

tablatronix opened this issue Jun 16, 2015 · 1 comment
Milestone

Comments

@tablatronix
Copy link
Member

reported by tc.coen

XSS
Risk
Medium-High; arbitrary javascript execution, which can lead to cookie stealing, key logging, and CSRF protection bypass, which in this case leads to arbitrary code execution via eg the theme editor
@tablatronix tablatronix added this to the 3.3.6 milestone Jun 16, 2015
@tablatronix
Copy link
Member Author

Adding basic filtering for plugin compatibility, this is deprecated in 3.4 already which uses events binding.

tablatronix added a commit that referenced this issue Jun 16, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant