Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(removed) #3414

Closed
Kiss-sh0t opened this issue Sep 3, 2018 · 4 comments
Closed

(removed) #3414

Kiss-sh0t opened this issue Sep 3, 2018 · 4 comments

Comments

@Kiss-sh0t
Copy link

Kiss-sh0t commented Sep 3, 2018

(removed)

@Moc Moc changed the title Stored XSS on update comments in v2.1.9 (removed) Sep 3, 2018
@Moc
Copy link
Member

Moc commented Sep 3, 2018

Thank you.
Please submit security issues by email, to security [at] e107.org as outlined here https://e107.org/community

I've removed the contents of your report from the public until it has been investigated.
I've passed on the information to the developers.

@Moc Moc closed this as completed Sep 3, 2018
@fgeek
Copy link

fgeek commented Aug 14, 2021

CVE-2018-17423 has been assigned for this issue. @Moc did this get fixed in 2.2.0 release or other future release?

@Moc
Copy link
Member

Moc commented Aug 14, 2021

@fgeek Yes this has been fixed. I currently don't have access to a laptop to check the details on when it was fixed and in which release it is included.

If no one else has done it by then, I'll get the details end of August (currently on vacation).

@Moc
Copy link
Member

Moc commented Sep 6, 2021

@fgeek More information on the vulnerability report here: https://github.com/Kiss-sh0t/e107_v2.1.9_XSS_poc/blob/master/e107-v2.1.9-xss-poc.pdf

The POC only worked if Site Preferences > Advanced Options > Content Filters > "Class which can post <script> and similar tags" (post_script) was set to their class. By default this was Main Admin but it changed to "Nobody" in 2.3.0. So only Main Admins could execute this.

d61ebe2

The report is therefore believed to be invalid. However, security has improved by changing the default class to "Nobody".

@Moc Moc mentioned this issue Sep 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants