Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Fix XSS on timeline (CVE-2019-15074)
Kamran Saifullah reported a stored cross-site scripting (XSS) vulnerability in Timeline, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. The code is executed for any user having visibility to the issue, whenever My View Page is displayed. Prevent the attack by sanitizing the filename before display. Fixes #25995
- Loading branch information