Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/acqui
History
Amit Gupta 0cf9eb0cfb Bug 19052 - XSS Flaws in - Invoice search page 
1. Hit /cgi-bin/koha/acqui/invoices.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> Invoiceno,
   ISBN/EAN/ISSN, Title, Author, Publihser, Publication year search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Invoiceno,
   ISBN/EAN/ISSN, Title, Author, Publihser, Publication year search box.
6. Notice it is no longer executed.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-29 12:00:37 -03:00
..
csv Bug 18331: POST_CHOMP everywhere! 2017-08-15 12:17:41 -03:00
tables Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
acqui-home.tt
addorder.tt
addorderiso2709.tt Bug 15503 (QA Followup) 2017-02-14 15:11:03 +00:00
ajax.tt
basket.tt Bug 8612: Use CSV profile for exporting basket 2017-06-05 12:02:08 -03:00
basketgroup.tt Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
basketheader.tt
booksellers.tt Bug 19052 - XSS Flaws in vendor search page 2017-08-29 12:00:37 -03:00
cancelorder.tt
edi_ean.tt
edifactmsgs.tt Bug 16239 [CSS Follow-up] Upgrade Bootstrap in the staff client 2017-01-13 14:41:23 +00:00
edimsg.tt
histsearch.tt
invoice-files.tt
invoice.tt Bug 11122: Follow up - Fix some display issues and typos 2017-06-05 11:48:16 -03:00
invoices.tt Bug 19052 - XSS Flaws in - Invoice search page 2017-08-29 12:00:37 -03:00
lateorders.tt Bug 17446: Typo seleted 2016-10-11 16:54:10 +00:00
modordernotes.tt
neworderbiblio.tt Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
neworderempty.tt Bug 18525: (bug 14828 follow-up) FIX ordering from suggestion when item-level_itypes = biblio 2017-05-12 08:50:40 -04:00
neworderempty_duplicate.tt
newordersubscription.tt
newordersuggestion.tt Bug 17899 - Show only mine does not work in newordersuggestion.pl 2017-01-20 14:10:36 +00:00
ordered.tt Bug 17771: Add link to bibliographic record on spent/ordered lists in acquisitions 2017-01-19 11:44:29 +00:00
orderreceive.tt Bug 14541: Do not truncate tax rate values 2016-12-09 16:29:33 +00:00
parcel.tt Bug 18722: Fund name is not shown in received orders fund subtotals 2017-06-09 11:32:48 -03:00
parcels.tt
spent.tt Bug 17771 [QA Followup] - Tidy table html 2017-01-19 11:48:55 +00:00
supplier.tt Bug 19118 - Due to wrong variable name passed vendor name is not coming in browser title bar 2017-08-25 12:12:25 -03:00
transferorder.tt Bug 11122: Follow up - Fix some display issues and typos 2017-06-05 11:48:16 -03:00
uncertainprice.tt Bug 11122: Follow up - Fix some display issues and typos 2017-06-05 11:48:16 -03:00
z3950_search.tt Bug 17487: Styling moved from style attribute into staff-global.css 2017-01-20 14:11:55 +00:00