New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(removed) #3414
Comments
|
Thank you. I've removed the contents of your report from the public until it has been investigated. |
|
CVE-2018-17423 has been assigned for this issue. @Moc did this get fixed in 2.2.0 release or other future release? |
|
@fgeek Yes this has been fixed. I currently don't have access to a laptop to check the details on when it was fixed and in which release it is included. If no one else has done it by then, I'll get the details end of August (currently on vacation). |
|
@fgeek More information on the vulnerability report here: https://github.com/Kiss-sh0t/e107_v2.1.9_XSS_poc/blob/master/e107-v2.1.9-xss-poc.pdf The POC only worked if Site Preferences > Advanced Options > Content Filters > "Class which can post <script> and similar tags" ( The report is therefore believed to be invalid. However, security has improved by changing the default class to "Nobody". |
(removed)
The text was updated successfully, but these errors were encountered: