Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
0013228: CVE-2017-1000164: Unescaped values for displayed name and company #6545
Reported by SOWIWAS on 16 Jun 2017 17:04
Version: 2017.02.4 Community Edition
At least in the addressbook overview there are 3 possible ways to inject html. This should probably be checked on more fields or displays.
Steps to reproduce: Create a new address entry:
First Name: <a href="">foo</a>
All those entries are visible in the ContactGridDetailsPanel and in the Grid only Company is escaped.