Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

0013228: CVE-2017-1000164: Unescaped values for displayed name and company #6545

Closed
Gloirin opened this issue Jun 9, 2018 · 1 comment

Comments

Projects
None yet
1 participant
@Gloirin
Copy link

commented Jun 9, 2018

Reported by SOWIWAS on 16 Jun 2017 17:04

Version: 2017.02.4 Community Edition

At least in the addressbook overview there are 3 possible ways to inject html. This should probably be checked on more fields or displays.

Steps to reproduce: Create a new address entry:

First Name: <a href="">foo</a>
Last Name: <a href="">bar</a>
Company: <a href="">baz</a>

All those entries are visible in the ContactGridDetailsPanel and in the Grid only Company is escaped.

@Gloirin Gloirin added this to the 2016.11.9dev1 Egon BE Develop milestone Jun 9, 2018

@Gloirin Gloirin self-assigned this Jun 9, 2018

@Gloirin Gloirin closed this Jun 9, 2018

@Gloirin

This comment has been minimized.

Copy link
Author

commented Jun 11, 2018

Comment posted by mspahn on 19 Jun 2017 10:28

http://gerrit.tine20.com/customers/#/c/4893/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.