0013228: CVE-2017-1000164: Unescaped values for displayed name and company #6545

Closed
Gloirin opened this Issue Jun 9, 2018 · 1 comment

Comments

Projects
None yet
1 participant
@Gloirin

Gloirin commented Jun 9, 2018

Reported by SOWIWAS on 16 Jun 2017 17:04

Version: 2017.02.4 Community Edition

At least in the addressbook overview there are 3 possible ways to inject html. This should probably be checked on more fields or displays.

Steps to reproduce: Create a new address entry:

First Name: <a href="">foo</a>
Last Name: <a href="">bar</a>
Company: <a href="">baz</a>

All those entries are visible in the ContactGridDetailsPanel and in the Grid only Company is escaped.

@Gloirin Gloirin added this to the 2016.11.9dev1 Egon BE Develop milestone Jun 9, 2018

@Gloirin Gloirin self-assigned this Jun 9, 2018

@Gloirin Gloirin closed this Jun 9, 2018

@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin Jun 11, 2018

Comment posted by mspahn on 19 Jun 2017 10:28

http://gerrit.tine20.com/customers/#/c/4893/

Gloirin commented Jun 11, 2018

Comment posted by mspahn on 19 Jun 2017 10:28

http://gerrit.tine20.com/customers/#/c/4893/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment