Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS issue - placeholder #1869

Closed
martini opened this issue Mar 12, 2018 · 0 comments

Comments

@martini
Copy link
Collaborator

commented Mar 12, 2018

Infos:

  • Used Zammad version: 2.2.1 and higher
  • Installation method (source, package, ..): any
  • Operating system: any
  • Database + version: any
  • Elasticsearch version: any
  • Browser + version: any

@ValtteriL (https://github.com/ValtteriL) reported and XSS issue. The content of this issue will be public after the issue is solved.

Expected behavior:

  • HTML quoting of all params.

Actual behavior:

  • The subject of emails is not html quoted in certain cases.

Steps to reproduce the behavior:

  • Send an email with following subject into the system: '> <script>alert(1);</script>

The related change/fix is here 17aa655#diff-9e922c280daaee1ae1875844d3453145

@martini martini added the verified label Mar 12, 2018

@martini martini added this to the 2.2.2 milestone Mar 12, 2018

@martini martini self-assigned this Mar 12, 2018

@martini martini closed this Apr 4, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.