]> git.koha-community.org Git - koha.git/commit
projects / koha.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2301be8) | patch
Bug 14416 Stored XSS vulnerability
authorChris Cormack <chrisc@catalyst.net.nz>
Thu, 18 Jun 2015 23:26:02 +0000 (11:26 +1200)
committerMason James <mtj@kohaaloha.com>
Sun, 21 Jun 2015 17:43:33 +0000 (05:43 +1200)
commit697fd4472d1dea6f5ad1e46294aaf3da4f0b3986
tree7a5ed42faa3577f8aeb24e029338b1d81606360btree | snapshot
parent2301be80b1be5213bcd265d221f0303f43b1e5ffcommit | diff
Bug 14416 Stored XSS vulnerability

opac-addbybiblionumber.pl is also vulnerable because it doesn't escape
list names.

To test
1/ Create a malicious list name
2/ Try to add a biblio to the lists
3/ Notice js is excuted
4/ Apply patch
5/ Test again

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Mason James <mtj@kohaaloha.com>
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-addbybiblionumber.tt diff | blob | history
Main Koha release repository