View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0011232 | mantisbt | security | public | 2009-11-30 23:54 | 2010-02-22 14:34 |
Reporter | dhx | Assigned To | dhx | ||
Priority | urgent | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.0 | ||||
Target Version | 1.2.0 | Fixed in Version | 1.2.0 | ||
Summary | 0011232: XSS on summary_page.php with user Real Name field | ||||
Description | Set your real name in "My Account" to something including "<script>alert(42);</script>" and then go to summary_page.php Assuming that your name would normally show on the page (ie. you're in one of the top lists) you'll see multiple alert() windows pop up. | ||||
Tags | No tags attached. | ||||
MantisBT: master 810ae079 2009-12-01 00:25 Details Diff |
Fix 0011232: XSS on summary_page.php with user Real Name field User real names should be sanitised before being printed to summary_page.php as it may be possible for the names to contain HTML elements that allow for XSS attacks. |
Affected Issues 0011232 |
|
mod - core/summary_api.php | Diff File | ||
MantisBT: master-1.2.x c23edbfb 2009-12-01 00:25 Details Diff |
Fix 0011232: XSS on summary_page.php with user Real Name field User real names should be sanitised before being printed to summary_page.php as it may be possible for the names to contain HTML elements that allow for XSS attacks. |
Affected Issues 0011232 |
|
mod - core/summary_api.php | Diff File |