Bug #29179
closedScheduler: Description is not escaped
Added by Georg Ringer over 13 years ago. Updated about 6 years ago.
100%
Description
Description is not escaped properly
Patch is attached.
Files
scheduler_xss.diff (1.09 KB) scheduler_xss.diff | Patch | Georg Ringer, 2011-08-23 07:23 |
Updated by Steffen Gebert over 13 years ago
I tend to solve this as a normal issue ("Description is not escaped"), as it requires admin permissions. While installing 3rd-party extensions, you always have to trust the authors.
Updated by Georg Ringer over 13 years ago
-1 for that because an extension author is not a trustable person.
Updated by Steffen Gebert over 13 years ago
Extension authors can send your whole database back home or create backdoors or whatever..!
Updated by Helmut Hummel over 13 years ago
I agree with Steffen here.
It would be clearly visible in TER and EM that this extension tries to do some weird things (and AFAIK TER and EM is secure in this regard).
Updated by Georg Ringer about 13 years ago
- Subject changed from XSS in Scheduler to Scheduler: Description is not escaped
Updated by Marcus Krause about 13 years ago
- Project changed from 1716 to TYPO3 Core
Only admins can exploit this vulnerability
-> Ticket visibility changed to public
Updated by Georg Ringer about 13 years ago
- Status changed from Accepted to Under Review
Updated by Georg Ringer about 13 years ago
- Status changed from Under Review to Accepted
Updated by Gerrit Code Review about 11 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/25132
Updated by Gerrit Code Review about 11 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/25132
Updated by Gerrit Code Review about 11 years ago
Patch set 1 for branch TYPO3_6-1 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/25214
Updated by Gerrit Code Review about 11 years ago
Patch set 1 for branch TYPO3_6-0 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/25215
Updated by Gerrit Code Review about 11 years ago
Patch set 1 for branch TYPO3_4-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/25218
Updated by Tomita Militaru about 11 years ago
- Status changed from Under Review to Resolved
- % Done changed from 80 to 100
Applied in changeset c3773a4d327e4c3fff59afceae88f0522a2518bc.
Updated by Gerrit Code Review about 11 years ago
- Status changed from Resolved to Under Review
Patch set 1 for branch TYPO3_4-5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/25231
Updated by Stefan Neufeind about 11 years ago
- Status changed from Under Review to Resolved
Applied in changeset c581f3380db29e2c3cd83367bef38be4807e0ab0.