Skip to content
Permalink
Browse files
Fix Multiple Stored XSS in Administration allowing execution of arbit…
…rary JavaScript code (#1260)

Add escape:"html" when rendering data on FE 

Fix bug stored XSS - Data when render on FE allows execution of arbitrary javascript code

Disclosure: https://huntr.dev/bounties/cc5c6cdd-8030-4eb1-af75-947780ee12e0
  • Loading branch information
noobpk committed Nov 15, 2021
1 parent 062389e commit a4b6fd7d308395377133b4ff1cd0e9c58c5edb2d
Showing with 74 additions and 72 deletions.
  1. +2 −0 CHANGELOG.md
  2. +1 −1 templates/adv_search.tpl.html
  3. +1 −1 templates/custom_fields.tpl.html
  4. +2 −2 templates/edit_custom_fields.tpl.html
  5. +1 −1 templates/faq.tpl.html
  6. +1 −1 templates/include/new_form.tpl.html
  7. +1 −1 templates/latest_news.tpl.html
  8. +3 −3 templates/list.tpl.html
  9. +1 −1 templates/manage/anonymous.tpl.html
  10. +3 −3 templates/manage/categories.tpl.html
  11. +1 −1 templates/manage/column_display.tpl.html
  12. +6 −6 templates/manage/custom_fields.tpl.html
  13. +1 −1 templates/manage/email_accounts.tpl.html
  14. +1 −1 templates/manage/email_responses.tpl.html
  15. +6 −6 templates/manage/groups.tpl.html
  16. +1 −1 templates/manage/issue_auto_creation.tpl.html
  17. +3 −3 templates/manage/link_filters.tpl.html
  18. +1 −1 templates/manage/news.tpl.html
  19. +3 −3 templates/manage/phone_categories.tpl.html
  20. +3 −3 templates/manage/priorities.tpl.html
  21. +1 −1 templates/manage/products.tpl.html
  22. +1 −1 templates/manage/projects.tpl.html
  23. +3 −3 templates/manage/releases.tpl.html
  24. +2 −2 templates/manage/resolution.tpl.html
  25. +1 −1 templates/manage/round_robin.tpl.html
  26. +5 −5 templates/manage/severities.tpl.html
  27. +1 −1 templates/manage/status_action_date.tpl.html
  28. +1 −1 templates/manage/statuses.tpl.html
  29. +2 −2 templates/manage/time_tracking.tpl.html
  30. +1 −1 templates/manage/users_form.tpl.html
  31. +2 −2 templates/manage/users_list.tpl.html
  32. +2 −2 templates/phone_support.tpl.html
  33. +2 −2 templates/reports/category_statuses.tpl.html
  34. +1 −1 templates/reports/custom_fields.tpl.html
  35. +1 −1 templates/reports/custom_fields_weekly.tpl.html
  36. +2 −2 templates/reports/estimated_dev_time.tpl.html
  37. +1 −1 templates/select_project.tpl.html
  38. +1 −1 templates/time_tracking.tpl.html
  39. +2 −2 templates/view_form.tpl.html
@@ -4,6 +4,8 @@

See [Upgrading] for details on how to upgrade.

- Fix Multiple Stored XSS in Administration allowing execution of arbitrary JavaScript code, #1260

[3.10.9]: https://github.com/eventum/eventum/compare/v3.10.8...master

## [3.10.8] - 2021-11-10
@@ -372,7 +372,7 @@
{if $core.current_role < $core.roles.manager and $custom[i].cst_is_global}
{$custom[i].cst_title}
{else}
<a href="adv_search.php?custom_id={$custom[i].cst_id}" title="{t}edit this custom search{/t}">{$custom[i].cst_title}</a>
<a href="adv_search.php?custom_id={$custom[i].cst_id}" title="{t}edit this custom search{/t}">{$custom[i].cst_title|escape:"html"}</a>
{/if}
</span>
{if $custom[i].cst_is_global}<span><i>({t}global filter{/t})</i></span>{/if}
@@ -11,7 +11,7 @@
{section name="i" loop=$custom_fields}
<tr class="{cycle values='odd,even'}" {if $custom_fields[i].hide_when_no_options|default:0 == 1 && $custom_fields[i].value == ''}style="display: none"{/if}>
<th class="{if $custom_fields[i].fld_min_role > $core.roles.customer}internal{/if}">
{$custom_fields[i].fld_title}
{$custom_fields[i].fld_title|escape:"html"}
</th>
<td>
{if $custom_fields[i].fld_type == 'textarea'}
@@ -18,11 +18,11 @@
<tr class="custom_field"
data-custom-id="{$custom_fields[i].fld_id}"
data-custom-type="{$custom_fields[i].fld_type}"
data-custom-title="{$custom_fields[i].fld_title}"
data-custom-title="{$custom_fields[i].fld_title|escape:'html'}"
data-custom-required="{$cf_required}"
data-custom-validation-js="{$custom_fields[i].validation_js|default:''}">
<th class="{if $custom_fields[i].fld_min_role > $core.roles.customer}internal{/if}">
{$custom_fields[i].fld_title}{if $cf_required} *{/if}
{$custom_fields[i].fld_title|escape:"html"}{if $cf_required} *{/if}
</th>
<td>
{if $custom_fields[i].fld_type == 'text'}
@@ -34,7 +34,7 @@
</tr>
{section name="i" loop=$faqs}
<tr class="{cycle values='odd,even'}">
<td><b><a href="faq.php?id={$faqs[i].faq_id}" title="{t}read faq entry{/t}">{$faqs[i].faq_title}</a></b></td>
<td><b><a href="faq.php?id={$faqs[i].faq_id}" title="{t}read faq entry{/t}">{$faqs[i].faq_title|escape:"html"}</a></b></td>
<td>{$faqs[i].faq_updated_date|timeago}</td>
</tr>
{/section}
@@ -47,7 +47,7 @@
<tr class="title">
<th colspan="2">
{t}Create New Issue{/t}
<span class="menu">({t}Current Project{/t}: {$core.project_name})</span>
<span class="menu">({t}Current Project{/t}: {$core.project_name|escape:'html'})</span>
</th>
</tr>
{if $cats|@count > 0 && $core.current_role >= $field_display_settings.category.min_role}
@@ -9,7 +9,7 @@
<tr>
<td>
{section name="i" loop=$news}
<b>{$news[i].nws_created_date|timeago} - <a href="news.php?id={$news[i].nws_id}" title="{t}full news entry{/t}">{$news[i].nws_title}</a></b>
<b>{$news[i].nws_created_date|timeago} - <a href="news.php?id={$news[i].nws_id}" title="{t}full news entry{/t}">{$news[i].nws_title|escape:"html"}</a></b>
<br /><br />
{$news[i].nws_message|activateLinks:"links"}
<br /><br />
@@ -105,13 +105,13 @@
{elseif $field_name == 'sev_rank'}
{$list[i].sev_title|escape:"html"}
{elseif $field_name == 'grp_name'}
{$list[i].grp_name}
{$list[i].grp_name|escape:"html"}
{elseif $field_name == 'assigned'}
{$list[i].assigned_users}
{$list[i].assigned_users|escape:"html"}
{elseif $field_name == 'time_spent'}
{$list[i].time_spent}
{elseif $field_name == 'prc_title'}
{$list[i].prc_title}
{$list[i].prc_title|escape:"html"}
{elseif $field_name == 'pre_title'}
{$list[i].pre_title|escape:"html"}
{elseif $field_name == 'iss_customer_id'}
@@ -61,7 +61,7 @@
<tr class="title">
<th colspan="2">
{t}Anonymous Reporting of New Issues{/t}
<div class="right">({t}Current Project{/t}: {$project.prj_title})</div>
<div class="right">({t}Current Project{/t}: {$project.prj_title|escape:"html"})</div>
</th>
</tr>
<tr>
@@ -47,7 +47,7 @@
<th colspan="2">
{t}Manage Categories{/t}
<div class="right">
({t}Current Project{/t}: {$project.prj_title})
({t}Current Project{/t}: {$project.prj_title|escape:"html"})
</div>
</th>
</tr>
@@ -56,7 +56,7 @@
{t}Title{/t}: *
</th>
<td>
<input type="text" name="title" size="40" value="{$info.prc_title|default:''}">
<input type="text" name="title" size="40" value="{$info.prc_title|default:''|escape:'html'}">
{include file="error_icon.tpl.html" field="title"}
</td>
</tr>
@@ -90,7 +90,7 @@
<tr class="{cycle values='odd,even'}">
<td width="4" nowrap align="center"><input type="checkbox" name="items[]" value="{$list[i].prc_id}"></td>
<td width="100%">
&nbsp;<a href="{$core.rel_url}manage/categories.php?cat=edit&id={$list[i].prc_id}&prj_id={$project.prj_id}" title="{t}update this entry{/t}">{$list[i].prc_title}</a>
&nbsp;<a href="{$core.rel_url}manage/categories.php?cat=edit&id={$list[i].prc_id}&prj_id={$project.prj_id}" title="{t}update this entry{/t}">{$list[i].prc_title|escape:"html"}</a>
</td>
</tr>
{sectionelse}
@@ -15,7 +15,7 @@
<tr class="title">
<th colspan="3">
{t}Manage Columns to Display{/t} {include file="help_link.tpl.html" topic="column_display"}
<div class="right">({t}Current Project{/t}: {$project_name})</div>
<div class="right">({t}Current Project{/t}: {$project_name|escape:"html"})</div>
</th>
</tr>
<tr>
@@ -220,7 +220,7 @@
{t}Title{/t}
</th>
<td>
<input type="text" name="title" maxlength="255" size="40" value="{$info.fld_title|default:''}">
<input type="text" name="title" maxlength="255" size="40" value="{$info.fld_title|default:''|escape:'html'}">
{include file="error_icon.tpl.html" field="title"}
</td>
</tr>
@@ -229,7 +229,7 @@
{t}Short Description{/t}
</th>
<td>
<input type="text" name="description" maxlength="255" size="40" value="{$info.fld_description|default:''}">
<input type="text" name="description" maxlength="255" size="40" value="{$info.fld_description|default:''|escape:'html'}">
<span>({t}it will show up by the side of the field{/t})</span>
</td>
</tr>
@@ -419,16 +419,16 @@
{rank_icon href="{$core.rel_url}manage/custom_fields.php?cat=change_rank&id={$list[i].fld_id}&direction=-1" direction="up"}
</td>
<td width="15%">
&nbsp;<a href="{$core.rel_url}manage/custom_fields.php?cat=edit&id={$list[i].fld_id}" title="{t}update this entry{/t}">{$list[i].fld_title}</a>
&nbsp;<a href="{$core.rel_url}manage/custom_fields.php?cat=edit&id={$list[i].fld_id}" title="{t}update this entry{/t}">{$list[i].fld_title|escape:"html"}</a>
</td>
<td width="20%">
&nbsp;{$list[i].projects}
&nbsp;{$list[i].projects|escape:"html"}
</td>
<td width="10%">
&nbsp;{$list[i].min_role_name}
&nbsp;{$list[i].min_role_name|escape:"html"}
</td>
<td width="10%">
&nbsp;{$list[i].min_role_edit_name}
&nbsp;{$list[i].min_role_edit_name|escape:"html"}
</td>
<td width="5%">
<nobr>&nbsp;{if $list[i].fld_type == 'combo'}{t}Combo Box{/t}{elseif $list[i].fld_type == 'multiple'}{t}Multiple Combo Box{/t}{elseif $list[i].fld_type == 'textarea'}{t}Textarea{/t}{elseif $list[i].fld_type == 'date'}{t}Date{/t}{elseif $list[i].fld_type == 'integer'}{t}Integer{/t}{elseif $list[i].fld_type == 'checkbox'}Checkbox{else}{t}Text Input{/t}{/if}</nobr>
@@ -244,7 +244,7 @@
{section name="i" loop=$list}
<tr class="{cycle values='odd,even'}">
<td width="4" align="center" nowrap><input type="checkbox" name="items[]" value="{$list[i].ema_id}"></td>
<td>&nbsp;{$list[i].prj_title}</td>
<td>&nbsp;{$list[i].prj_title|escape:"html"}</td>
<td width="30%">
&nbsp;<a href="{$core.rel_url}manage/email_accounts.php?cat=edit&id={$list[i].ema_id}" title="{t}update this entry{/t}">{$list[i].ema_hostname|escape:"html"}</a></td>
<td>&nbsp;{$list[i].ema_type}</td>
@@ -115,7 +115,7 @@
<tr class="{cycle values='odd,even'}">
<td width="4" nowrap align="center"><input type="checkbox" name="items[]" value="{$list[i].ere_id}"></td>
<td width="60%">
&nbsp;<a href="{$core.rel_url}manage/email_responses.php?cat=edit&id={$list[i].ere_id}" title="{t}update this entry{/t}">{$list[i].ere_title}</a>
&nbsp;<a href="{$core.rel_url}manage/email_responses.php?cat=edit&id={$list[i].ere_id}" title="{t}update this entry{/t}">{$list[i].ere_title|escape:"html"}</a>
</td>
<td width="40%">
&nbsp;{$list[i].projects|escape:"html"}
@@ -73,7 +73,7 @@
{t}Name{/t} *
</th>
<td>
<input type="text" name="group_name" size="40" value="{$info.grp_name|default:''}">
<input type="text" name="group_name" size="40" value="{$info.grp_name|default:''|escape:'html'}">
{include file="error_icon.tpl.html" field="group_name"}
</td>
</tr>
@@ -82,7 +82,7 @@
{t}Description{/t}
</th>
<td>
<input type="text" name="description" size="100" value="{$info.grp_description|default:''}">
<input type="text" name="description" size="100" value="{$info.grp_description|default:''|escape:'html'}">
{include file="error_icon.tpl.html" field="description"}
</td>
</tr>
@@ -155,16 +155,16 @@
<input type="checkbox" name="items[]" value="{$list[i].grp_id}" {if $smarty.section.i.total == 0}disabled{/if}>
</td>
<td width="20%">
&nbsp;<a href="{$core.rel_url}manage/groups.php?cat=edit&id={$list[i].grp_id}" title="{t}update this entry{/t}">{$list[i].grp_name}</a>
&nbsp;<a href="{$core.rel_url}manage/groups.php?cat=edit&id={$list[i].grp_id}" title="{t}update this entry{/t}">{$list[i].grp_name|escape:"html"}</a>
</td>
<td width="20%">
&nbsp;{$list[i].grp_description}
&nbsp;{$list[i].grp_description|escape:"html"}
</td>
<td width="40%">
&nbsp;{$list[i].manager}
&nbsp;{$list[i].manager|escape:"html"}
</td>
<td width="20%">
&nbsp;{", "|join:$list[i].projects}
&nbsp;{", "|join:$list[i].projects|escape:"html"}
</td>
</tr>
{sectionelse}
@@ -50,7 +50,7 @@
<tr class="title">
<th colspan="2">
{t}Auto-Creation of Issues{/t}
<div class="right">({t}Associated Project{/t}: {$prj_title})</div>
<div class="right">({t}Associated Project{/t}: {$prj_title|escape:"html"})</div>
</th>
</tr>
<tr>
@@ -150,13 +150,13 @@
&nbsp;{$list[i].lfi_replacement|escape:"html"}
</td>
<td width="20%">
&nbsp;{$list[i].lfi_description}
&nbsp;{$list[i].lfi_description|escape:"html"}
</td>
<td width="20%">
&nbsp;{$list[i].min_usr_role_name}
&nbsp;{$list[i].min_usr_role_name|escape:"html"}
</td>
<td width="20%">
&nbsp;{", "|join:$list[i].project_names}
&nbsp;{", "|join:$list[i].project_names|escape:"html"}
</td>
</tr>
{sectionelse}
@@ -133,7 +133,7 @@
<tr class="{cycle values='odd,even'}">
<td width="4" nowrap align="center"><input type="checkbox" name="items[]" value="{$list[i].nws_id}"></td>
<td width="40%">
&nbsp;<a href="{$core.rel_url}manage/news.php?cat=edit&id={$list[i].nws_id}" title="{t}update this entry{/t}">{$list[i].nws_title}</a>
&nbsp;<a href="{$core.rel_url}manage/news.php?cat=edit&id={$list[i].nws_id}" title="{t}update this entry{/t}">{$list[i].nws_title|escape:"html"}</a>
</td>
<td width="40%">
&nbsp;{$list[i].projects|escape:"html"}
@@ -46,15 +46,15 @@
<tr class="title">
<th colspan="2">
{t}Manage Phone Support Categories{/t}
<div class="right">({t}Current Project{/t}: {$project.prj_title})</div>
<div class="right">({t}Current Project{/t}: {$project.prj_title|escape:"html"})</div>
</th>
</tr>
<tr>
<th width="120">
{t}Title{/t}: *
</th>
<td>
<input type="text" name="title" size="40" value="{$info.phc_title|default:''}">
<input type="text" name="title" size="40" value="{$info.phc_title|default:''|escape:'html'}">
{include file="error_icon.tpl.html" field="title"}
</td>
</tr>
@@ -88,7 +88,7 @@
<tr class="{cycle values='odd,even'}">
<td width="4" nowrap align="center"><input type="checkbox" name="items[]" value="{$list[i].phc_id}"></td>
<td width="100%">
&nbsp;<a href="{$core.rel_url}manage/phone_categories.php?cat=edit&id={$list[i].phc_id}&prj_id={$project.prj_id}" title="{t}update this entry{/t}">{$list[i].phc_title}</a>
&nbsp;<a href="{$core.rel_url}manage/phone_categories.php?cat=edit&id={$list[i].phc_id}&prj_id={$project.prj_id}" title="{t}update this entry{/t}">{$list[i].phc_title|escape:"html"}</a>
</td>
</tr>
{sectionelse}
@@ -79,7 +79,7 @@
<th colspan="2">
{t}Manage Priorities{/t}
<div class="right">
({t}Current Project{/t}: {$project.prj_title})
({t}Current Project{/t}: {$project.prj_title|escape:"html"})
</div>
</th>
</tr>
@@ -88,7 +88,7 @@
{t}Title{/t}: *
</th>
<td>
<input type="text" name="title" size="40" value="{$info.pri_title|default:''}">
<input type="text" name="title" size="40" value="{$info.pri_title|default:''|escape:'html'}">
{include file="error_icon.tpl.html" field="title"}
</td>
</tr>
@@ -154,7 +154,7 @@
{if $list[i].pri_icon > 0}<span class="priority_icon priority-icon-{$list[i].pri_icon}" title="{$list[i].pri_icon}"></span>{/if}
</td>
<td width="100%">
&nbsp;<a href="{$core.rel_url}manage/priorities.php?cat=edit&id={$list[i].pri_id}&prj_id={$project.prj_id}" title="{t}update this entry{/t}">{$list[i].pri_title}</a>
&nbsp;<a href="{$core.rel_url}manage/priorities.php?cat=edit&id={$list[i].pri_id}&prj_id={$project.prj_id}" title="{t}update this entry{/t}">{$list[i].pri_title|escape:"html"}</a>
</td>
</tr>
{sectionelse}
@@ -57,7 +57,7 @@
{t}Title{/t} *
</th>
<td>
<input type="text" name="title" size="40" value="{$info.pro_title|default:''}">
<input type="text" name="title" size="40" value="{$info.pro_title|default:''|escape:'html'}">
{include file="error_icon.tpl.html" field="title"}
</td>
</tr>
@@ -271,7 +271,7 @@
{section name="i" loop=$list}
<tr class="{cycle values='odd,even'}">
<td width="30%" >
&nbsp;<a href="{$core.rel_url}manage/projects.php?cat=edit&id={$list[i].prj_id}" title="{t}update this entry{/t}">{$list[i].prj_title}</a>
&nbsp;<a href="{$core.rel_url}manage/projects.php?cat=edit&id={$list[i].prj_id}" title="{t}update this entry{/t}">{$list[i].prj_title|escape:"html"}</a>
</td>
<td width="20%" >&nbsp;{$list[i].usr_full_name|escape:html}</td>
<td >&nbsp;{$list[i].prj_status|capitalize}</td>
@@ -47,7 +47,7 @@
<th colspan="2">
{t}Manage Releases{/t}
<div class="right">
({t}Current Project{/t}: {$project.prj_title})
({t}Current Project{/t}: {$project.prj_title|escape:"html"})
</div>
</th>
</tr>
@@ -56,7 +56,7 @@
{t}Title{/t}:
</th>
<td>
<input type="text" name="title" size="40" value="{$info.pre_title|default:''}">
<input type="text" name="title" size="40" value="{$info.pre_title|default:''|escape:'html'}">
{include file="error_icon.tpl.html" field="title"}
</td>
</tr>
@@ -111,7 +111,7 @@
<tr class="{cycle values='odd,even'}">
<td width="4" nowrap align="center"><input type="checkbox" name="items[]" value="{$list[i].pre_id}"></td>
<td width="40%">
&nbsp;<a href="{$core.rel_url}manage/releases.php?cat=edit&id={$list[i].pre_id}&prj_id={$project.prj_id}" title="{t}update this entry{/t}">{$list[i].pre_title}</a>
&nbsp;<a href="{$core.rel_url}manage/releases.php?cat=edit&id={$list[i].pre_id}&prj_id={$project.prj_id}" title="{t}update this entry{/t}">{$list[i].pre_title|escape:"html"}</a>
</td>
<td>&nbsp;{$list[i].pre_scheduled_date}</td>
<td>&nbsp;{$list[i].pre_status}</td>
@@ -57,7 +57,7 @@
{t}Title{/t}:
</th>
<td>
<input type="text" name="title" size="40" value="{$info.res_title|default:''}">
<input type="text" name="title" size="40" value="{$info.res_title|default:''|escape:'html'}">
{include file="error_icon.tpl.html" field="title"}
</td>
</tr>
@@ -101,7 +101,7 @@
<td width="4" nowrap align="center"><input type="checkbox" name="items[]" value="{$list[i].res_id}"></td>
<td align="center">{$list[i].res_rank}</td>
<td width="100%">
&nbsp;<a href="{$core.rel_url}manage/resolution.php?cat=edit&id={$list[i].res_id}" title="{t}update this entry{/t}">{$list[i].res_title}</a>
&nbsp;<a href="{$core.rel_url}manage/resolution.php?cat=edit&id={$list[i].res_id}" title="{t}update this entry{/t}">{$list[i].res_title|escape:"html"}</a>
</td>
</tr>
{sectionelse}
@@ -131,7 +131,7 @@
<tr class="{cycle values="odd,even"}">
<td width="4" nowrap align="center"><input type="checkbox" name="items[]" value="{$list[i].prr_id}"></td>
<td width="30%">
&nbsp;<a href="{$core.rel_url}manage/round_robin.php?cat=edit&id={$list[i].prr_id}" title="{t}update this entry{/t}">{$list[i].prj_title}</a>
&nbsp;<a href="{$core.rel_url}manage/round_robin.php?cat=edit&id={$list[i].prr_id}" title="{t}update this entry{/t}">{$list[i].prj_title|escape:"html"}</a>
</td>
<td width="70%">
&nbsp;{$list[i].users|escape:"html"}

0 comments on commit a4b6fd7

Please sign in to comment.