Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules
History
Amit Gupta 9f19d3d44c Bug 19051 - XSS Flaws in Batch item deletion page 
1. Hit /cgi-bin/koha/tools/batchMod.pl?del=1
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Barcode list (one barcode per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Barcode list (one barcode per line) text area.
6. Notice it is no longer executed.
7. Fixes for both barcode and itemnumber.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-29 12:00:37 -03:00
..
acqui Bug 19052 - XSS Flaws in - Invoice search page 2017-08-29 12:00:37 -03:00
admin Bug 19078 - XSS Flaws in System preferences 2017-08-29 12:00:37 -03:00
authorities Bug 18801 - Merging authorities has an invalid 'Default' type in the merge framework selector 2017-07-06 14:29:03 -03:00
basket Bug 12644 - Add subtitles to staff client cart 2017-08-15 12:17:45 -03:00
batch
catalogue Bug 18331: Fix CSV export (once and for all!) 2017-08-15 12:17:40 -03:00
cataloguing Bug 18277: Remove GetBiblionumberFromItemnumber - linkitem 2017-07-10 13:03:37 -03:00
circ Bug 18469: QA Follow-up 2017-08-15 12:17:43 -03:00
clubs Bug 18630: Translatability (Clubs): 'Cancel' is ambiguous and leads to mistakes 2017-06-15 15:56:00 -03:00
common Bug 13835: Popup with searches: results hidden by language menu in footer 2017-04-28 08:35:30 -04:00
course_reserves Bug 18367 - Fix untranslatable string from Bug 18264 2017-07-13 16:42:03 -03:00
errors
help Bug 18817: Update links manually 2017-08-25 10:22:14 -03:00
installer Bug 17942 [Follow-up] Update style of the web installer with Bootstrap 3 2017-05-09 20:54:31 +00:00
labels Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
members Bug 19080: Handle non-existing patrons gratefully 2017-08-25 11:03:37 -03:00
offline_circ
onboarding Bug 18702: Translatability: Get rid of exposed if statement in tt for translated onboardingstep2.tt 2017-06-05 16:35:23 -03:00
patron_lists Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
patroncards Bug 18465: (followup) Fix issue with patron lists an do not use clone 2017-07-06 14:52:54 -03:00
plugins Bug 18430 - Plugins page should have a link to viewing other types 2017-06-05 11:59:26 -03:00
reports Bug 19054 - XSS Flaws in Report - Top Most-circulated items 2017-08-29 12:00:37 -03:00
reserve Bug 18534 - When IndependentBranches is enabled the pickup location displayed incorrectly on request.pl 2017-05-19 10:33:19 -04:00
reviews Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
rotating_collections Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
serials Bug 13747: Fix problems with frequency descriptions containing quotes 2017-06-05 16:34:26 -03:00
services
sms
suggestion Bug 18581 - Add standard edit and delete buttons to suggestions list 2017-08-25 10:59:04 -03:00
tags Bug 5471 - Quotes in tags fail 2017-08-10 13:20:31 -03:00
test
tools Bug 19051 - XSS Flaws in Batch item deletion page 2017-08-29 12:00:37 -03:00
virtualshelves Bug 18980: Show distinction between shared and private lists in staff 2017-08-10 13:20:31 -03:00
about.tt Bug 19000: Fix typo in closing p tag for items 2017-07-28 11:14:26 -03:00
auth.tt Bug 18314 (QA Followup) Use OpacBaseURL for password reset link 2017-05-12 10:59:10 -04:00
intranet-main.tt Bug 19041: (bug 17855 follow-up) Fix regression on bug 16058 2017-08-08 09:20:35 -03:00