Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS in "Real Name" field - My Account #164

Closed
SegfaultMasters opened this issue Jan 16, 2019 · 4 comments
Closed

Stored XSS in "Real Name" field - My Account #164

SegfaultMasters opened this issue Jan 16, 2019 · 4 comments

Comments

@SegfaultMasters
Copy link

Description -
There's no escape being done before printing out the value of Real Name in the My Account page.

ATutor version - v2.2.4

Steps to reproduce -

image11

image6

@atutor
Copy link
Owner

atutor commented Jan 16, 2019

Please submit a pull request to fix this.

@fgeek
Copy link

fgeek commented Jan 30, 2019

Someone requested CVE identifier for this vulnerability and it got assigned CVE-2019-7172.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7172
https://nvd.nist.gov/vuln/detail/CVE-2019-7172

@fgeek
Copy link

fgeek commented Jan 31, 2019

Please submit a pull request to fix this.

As a maintainer of this project are you planning to fix this and release new version? I don't think waiting for PRs is correct way to handle security issues (maybe only if this is mentioned clearly in some documentation). Of course that is only my personal opinion, but I can't recommend people to use ATutor if this is the case.

@atutor
Copy link
Owner

atutor commented Jan 31, 2019

ATutor is no longer maintained.

@gregrgay gregrgay closed this as completed Sep 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants