New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[EDITED BY MOC] #3170
Comments
|
Sorry for the security risks of publishing items on the Internet |
|
After repair, I hope you will disclose this vulnerability to public. |
|
@base64linqi Under "Preferences" in the admin area. What value do you have for |
|
default |
|
@base64linqi Yes, I understand how internet works, thank you. Standard practice is to inform the developers, by the method outlined on their website, of a vulnerability so they are able to fix it it before it being published. Once the fix has been released, there's no objection not to disclose the details to the public. |
|
Is XSS confirmed to exist? |
|
It is currently being looked into. We'll inform you of further updates. |
|
OK |
|
CVE-2018-11734 has been assigned for this issue. @Moc what release contains a fix for this? CVE information only contains "In e107 v2.1.7, output without filtering results in XSS." |
|
This has been fixed. Currently on vacation but I'll post details about which version contains the fix when I get back. |
|
This has been fixed but I cannot find the exact commit. I would assume the report was treated in the same way as described here: #3414 (comment). I would therefore use v2.3.0 as the release that fixes this commit. |
|
Yes, it has been repaired ^o^ |

[EDITED BY MOC]
Thank you your report.
In the future, please report security issues by email to security@e107.org, instead of posting them here in public. I have removed the contents here to prevent abuse, and I have forwarded your report to security@e107.org.
[EDITED BY MOC]
The text was updated successfully, but these errors were encountered: