Bug #72475: XSS in belog module - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #72475

closed

XSS in belog module

Added by Oliver Hader almost 9 years ago. Updated about 6 years ago.

Status:

Closed

Priority:

Should have

Assignee:

Category:

Target version:

Start date:

2015-12-30

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

6.2

PHP Version:

5.5

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

The belog module, accessible for admin users, is vulnerable for XSS.

Requirements

a) create a backend user having the name

te<b>st</b>

b) create a workspace record having the title

work<b>space</b>

PoC

switch to the created user
switch to the create workspace
modify or create any content
open the log at System>Log and see the unescaped contents of the user and workspace

Files

72475.png (19.3 KB) 72475.png

Oliver Hader, 2015-12-30 13:23

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Bug #72475

XSS in belog module

Updated by Oliver Hader almost 9 years ago

Updated by Gerrit Code Review almost 9 years ago

Updated by Helmut Hummel almost 9 years ago

Updated by Gerrit Code Review almost 9 years ago

Updated by Gerrit Code Review almost 9 years ago

Updated by Oliver Hader almost 9 years ago

Updated by Gerrit Code Review almost 9 years ago

Updated by Oliver Hader almost 9 years ago

Updated by Benni Mack about 6 years ago