[Bug reporting] XSS vulnerabilty in wp_kses_bad_protocol in wp-includes/kses.php (CVE-2019-20041)

Hi

Our research team in KAIST WSP Lab found a known XSS vulnerability in the recent version of dockerlabs.
In particular, the bug we report is a known bug by CVE-2019-20041.

> wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript&colon; substring.

Please check this [line](https://github.com/collabnix/dockerlabs/blob/d9bb544f92a024c58ed3da75b83de825095272f8/advanced/security/apparmor/wordpress/html/wp-includes/kses.php#L1336).

Thanks!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Uh oh!

[Bug reporting] XSS vulnerabilty in wp_kses_bad_protocol in wp-includes/kses.php (CVE-2019-20041) #400

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

Uh oh!

[Bug reporting] XSS vulnerabilty in wp_kses_bad_protocol in wp-includes/kses.php (CVE-2019-20041) #400

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions