Bug #72475
closed
XSS in belog module
100%
Description
The belog module, accessible for admin users, is vulnerable for XSS.
Requirements
a) create a backend user having the name
te<b>st</b>
b) create a workspace record having the title
work<b>space</b>
PoC
- switch to the created user
- switch to the create workspace
- modify or create any content
- open the log at System>Log and see the unescaped contents of the user and workspace
Files
Updated by Gerrit Code Review almost 9 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/45502
Updated by Helmut Hummel almost 9 years ago
- Project changed from 1716 to TYPO3 Core
- Category deleted (
OW-A07: Cross Site Scripting) - Is Regression set to No
Users and Workspaces can only be created by admins, so it is fine to fix this in public
Updated by Gerrit Code Review almost 9 years ago
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/45519
Updated by Gerrit Code Review almost 9 years ago
Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/45522
Updated by Oliver Hader almost 9 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 056323e9141c9028d07c1e12543584e03b5f0c9e.
Updated by Gerrit Code Review almost 9 years ago
- Status changed from Resolved to Under Review
Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/45523
Updated by Oliver Hader almost 9 years ago
- Status changed from Under Review to Resolved
Applied in changeset 3eb2e46d3ce05ee9ef00e68ea57d20506bb50314.
Updated by