Project

General

Profile

Actions

Bug #79753

closed

XSS in new image cropping wizard

Added by Sascha Egerer almost 8 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Category:
Backend User Interface
Target version:
Start date:
2017-02-10
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
easy
Is Regression:
No
Sprint Focus:

Description

The new image cropping wizard is vulnerable for a XSS attack.

Steps to reproduce:

  1. Upload a file
  2. Edit the file information and set the "title" of the file to Foo <script>alert(1);</script> Bar
  3. Save the file
  4. Create a new text media content element and add the file
  5. open the image cropper
Actions

Also available in: Atom PDF