Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules
History
Amit Gupta 1a7040b7b0 Bug 19054 - XSS Flaws in Report - Top Most-circulated items 
1. Hit /cgi-bin/koha/reports/cat_issues_top.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in Callnumber, Day, Month, Year search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Callnumber, Day, Month, Year search box.
6. Notice it is no longer executed.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-29 12:00:37 -03:00
..
acqui Bug 19118 - Due to wrong variable name passed vendor name is not coming in browser title bar 2017-08-25 12:12:25 -03:00
admin Bug 19078 - XSS Flaws in System preferences 2017-08-29 12:00:37 -03:00
authorities Bug 18801 - Merging authorities has an invalid 'Default' type in the merge framework selector 2017-07-06 14:29:03 -03:00
basket Bug 12644 - Add subtitles to staff client cart 2017-08-15 12:17:45 -03:00
batch
catalogue Bug 18331: Fix CSV export (once and for all!) 2017-08-15 12:17:40 -03:00
cataloguing Bug 18277: Remove GetBiblionumberFromItemnumber - linkitem 2017-07-10 13:03:37 -03:00
circ Bug 18469: QA Follow-up 2017-08-15 12:17:43 -03:00
clubs Bug 18630: Translatability (Clubs): 'Cancel' is ambiguous and leads to mistakes 2017-06-15 15:56:00 -03:00
common
course_reserves Bug 18367 - Fix untranslatable string from Bug 18264 2017-07-13 16:42:03 -03:00
errors
help Bug 18817: Update links manually 2017-08-25 10:22:14 -03:00
installer Bug 17942 [Follow-up] Update style of the web installer with Bootstrap 3 2017-05-09 20:54:31 +00:00
labels
members Bug 19080: Handle non-existing patrons gratefully 2017-08-25 11:03:37 -03:00
offline_circ
onboarding Bug 18702: Translatability: Get rid of exposed if statement in tt for translated onboardingstep2.tt 2017-06-05 16:35:23 -03:00
patron_lists
patroncards Bug 18465: (followup) Fix issue with patron lists an do not use clone 2017-07-06 14:52:54 -03:00
plugins Bug 18430 - Plugins page should have a link to viewing other types 2017-06-05 11:59:26 -03:00
reports Bug 19054 - XSS Flaws in Report - Top Most-circulated items 2017-08-29 12:00:37 -03:00
reserve Bug 18534 - When IndependentBranches is enabled the pickup location displayed incorrectly on request.pl 2017-05-19 10:33:19 -04:00
reviews
rotating_collections
serials Bug 13747: Fix problems with frequency descriptions containing quotes 2017-06-05 16:34:26 -03:00
services
sms
suggestion Bug 18581 - Add standard edit and delete buttons to suggestions list 2017-08-25 10:59:04 -03:00
tags Bug 5471 - Quotes in tags fail 2017-08-10 13:20:31 -03:00
test
tools Bug 19049 [QA Followup] - Make plugin name first item in description 2017-08-15 12:17:42 -03:00
virtualshelves Bug 18980: Show distinction between shared and private lists in staff 2017-08-10 13:20:31 -03:00
about.tt Bug 19000: Fix typo in closing p tag for items 2017-07-28 11:14:26 -03:00
auth.tt Bug 18314 (QA Followup) Use OpacBaseURL for password reset link 2017-05-12 10:59:10 -04:00
intranet-main.tt Bug 19041: (bug 17855 follow-up) Fix regression on bug 16058 2017-08-08 09:20:35 -03:00