Permalink
Browse files

Fix h1 report 173501

Persistent  XSS
---------------

The HackerOne user pavanw3b has reported that the Revive Adserver was
vulnerable to a persistent XSS attack: an authenticated user could set their
own email address to a specifically crafted string which was then displayed
without proper escaping in the context of other users (e.g. the administrator
user), giving them an opportunity to steal a session with elevated privileges.

CWE-ID: CWE-79

CVSSv3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
CVSSv3 Base Score: 4.2
CVSSv3 Temporal Score: 3.7
  • Loading branch information...
mbeccati committed Jan 24, 2017
1 parent b088012 commit 0b311d3fd66e7dec45e1d784af4d209a4ce18be3
Showing with 2 additions and 2 deletions.
  1. +2 −2 lib/templates/admin/user-access.html
@@ -44,10 +44,10 @@
<tbody class="{$rowType}">
<tr height="25" {if $user.justModified}class="hl"{/if}>
{if $sso}
<td class="first"><a href="{$editPage}?userid={$user.user_id}{if $entityIdName}&amp;{$entityIdName}={$entityIdValue}{/if}">{$user.email_address}</a></td>
<td class="first"><a href="{$editPage}?userid={$user.user_id}{if $entityIdName}&amp;{$entityIdName}={$entityIdValue}{/if}">{$user.email_address|escape}</a></td>
{else}
<td class="first"><a href="{$editPage}?userid={$user.user_id}{if $entityIdName}&amp;{$entityIdName}={$entityIdValue}{/if}">{$user.username|escape}</a></td>
<td><a href="{$editPage}?userid={$user.user_id}{if $entityIdName}&amp;{$entityIdName}={$entityIdValue}{/if}">{$user.email_address}</a></td>
<td><a href="{$editPage}?userid={$user.user_id}{if $entityIdName}&amp;{$entityIdName}={$entityIdValue}{/if}">{$user.email_address|escape}</a></td>
{/if}
<td>{$user.contact_name|escape}</td>
{if $sso}

0 comments on commit 0b311d3

Please sign in to comment.