Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LMS 8.2.0: XSS in title format fields #760

Closed
sh00bx opened this issue Feb 12, 2022 · 1 comment
Closed

LMS 8.2.0: XSS in title format fields #760

sh00bx opened this issue Feb 12, 2022 · 1 comment

Comments

@sh00bx
Copy link

sh00bx commented Feb 12, 2022

On LMS 8.2, the title format fields under settings, interface are susceptible to XSS.

PoC documented by Mert Das here:
https://www.exploit-db.com/exploits/50413

grafik
mherger added a commit that referenced this issue Feb 12, 2022
@mherger
Merge branch 'public/8.2' into public/8.3
1ea7b08 
* public/8.2:
  Fix #760 HTML encode all kinds of potential user input rendered in the web UI.

# Conflicts:
#	HTML/EN/settings/server/squeezenetwork.html
#	Slim/Plugin/Podcast/HTML/EN/plugins/Podcast/settings/basic.html
@mherger
Copy link
Contributor

mherger commented Feb 12, 2022

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mherger @sh00bx