]> git.koha-community.org Git - koha.git/commit
Bug 19052 - XSS Flaws in - Invoice search page
authorAmit Gupta <amit.gupta@informaticsglobal.com>
Mon, 7 Aug 2017 16:47:14 +0000 (22:17 +0530)
committerMason James <mtj@kohaaloha.com>
Thu, 24 Aug 2017 05:43:00 +0000 (17:43 +1200)
commit1e74b19207b0b137788eee44e0456ef682479e1e
treefdcc355fa2d03f5260dc86d423f844b766a97b57
parent818dd531ecae29e0a6e14072ed9d8f5d448cfafb
Bug 19052 - XSS Flaws in - Invoice search page

1. Hit /cgi-bin/koha/acqui/invoices.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> Invoiceno,
   ISBN/EAN/ISSN, Title, Author, Publihser, Publication year search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Invoiceno,
   ISBN/EAN/ISSN, Title, Author, Publihser, Publication year search box.
6. Notice it is no longer executed.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mason James <mtj@kohaaloha.com>
koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoices.tt