Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS: extended user fields #14104

Closed
AgelxNash opened this issue Oct 2, 2018 · 1 comment
Closed

Stored XSS: extended user fields #14104

AgelxNash opened this issue Oct 2, 2018 · 1 comment

Comments

@AgelxNash
Copy link
Contributor

Container name

<img src=# onerror=alert(1); />

Attribute name

<img src=# onerror=alert(2); />
@AgelxNash AgelxNash mentioned this issue Oct 2, 2018
alroniks pushed a commit that referenced this issue Feb 6, 2019
* upstream/pr/14335:
  XSS in the tree
  Fix #14105
  Fix #14104
  Fix #14103
  Fix #14102
  Enable remote avatars
@AgelxNash
Copy link
Contributor Author

CVE-2018-20757

opengeek added a commit that referenced this issue Feb 22, 2019
* origin/2.x: (104 commits)
  Change the RSS feed URLs to HTTPS
  MODX Revolution 2.7.1-pl
  Update lexicons from crowdin
  Change after review
  Update phpThumb 1.7.15-201902101903
  Restore html in resource tree (#14358) while preserving XSS protections in trees by default
  Handle deprecated $type and $responseCode parameters in $modx->sendRedirect and fix message
  Update lexicon entry
  Include not deleted children of deleted parents in the list
  Using cltr/cmd and click will open the url in a new tab/window again for ExtJS elements that use `loadPage()` to open URLs
  Forbid generating child resources for deleted resources
  Fix #14094
  XSS in the tree
  Fix #14105
  Fix #14104
  Fix #14103
  Fix #14102
  Enable remote avatars
  Fix regression in resourcelist that prevents parents from working correctly
  Improve wording in variables
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant