Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS issue - placeholder #1869

Closed
martini opened this issue Mar 12, 2018 · 0 comments
Closed

XSS issue - placeholder #1869

martini opened this issue Mar 12, 2018 · 0 comments
Assignees
Labels
Milestone

Comments

@martini
Copy link
Collaborator

martini commented Mar 12, 2018

Infos:

  • Used Zammad version: 2.2.1 and higher
  • Installation method (source, package, ..): any
  • Operating system: any
  • Database + version: any
  • Elasticsearch version: any
  • Browser + version: any

@ValtteriL (https://github.com/ValtteriL) reported and XSS issue. The content of this issue will be public after the issue is solved.

Expected behavior:

  • HTML quoting of all params.

Actual behavior:

  • The subject of emails is not html quoted in certain cases.

Steps to reproduce the behavior:

  • Send an email with following subject into the system: '> <script>alert(1);</script>

The related change/fix is here 17aa655#diff-9e922c280daaee1ae1875844d3453145

@martini martini added this to the 2.2.2 milestone Mar 12, 2018
@martini martini self-assigned this Mar 12, 2018
@martini martini closed this as completed Apr 4, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant