New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross-site Scripting (XSS) #1431
Labels
Comments
|
@drbyte Can you help me ask for a CVE ID ? |
drbyte
added a commit
that referenced
this issue
May 7, 2017
drbyte
added a commit
that referenced
this issue
May 7, 2017
|
Thanks for the feedback. Fortunately this (v160) is a development branch, and is unofficial unreleased code. The change in #1432 resolves this issue. The officially-released code version (latest release v1.5.5e) is not affected by this attack vector. |
|
It should also be noted that we intend to introduce automated request sanitization, similar to the code in admin. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version:1.6.0
Hi, I'm in your 1.6.0 version open source found to index.php this page parameter value ID does not filter in the output or filter or escape the input character to cause XSS
Poc Payload:
http://127.0.0.1/index.php?main_page=login%22%3E%3Csvg/onload=alert(domain)%3E%22
Resolving: Filtering encoding or escaping
The text was updated successfully, but these errors were encountered: