projects / koha.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 14646cd) | patch
Bug 19052 - XSS Flaws in - Invoice search page
authorAmit Gupta <amit.gupta@informaticsglobal.com>
Mon, 7 Aug 2017 16:47:14 +0000 (22:17 +0530)
committerFridolin Somers <fridolin.somers@biblibre.com>
Wed, 23 Aug 2017 14:55:34 +0000 (16:55 +0200)
commitac54b9703689d9c29d8b195253d26f2ff866e564
tree52580a5b2867f09084b73c0b562caa54d6dc277btree | snapshot
parent14646cd3f84db891f1fe5562ba2577c3fc82cd7ccommit | diff
Bug 19052 - XSS Flaws in - Invoice search page

1. Hit /cgi-bin/koha/acqui/invoices.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> Invoiceno,
   ISBN/EAN/ISSN, Title, Author, Publihser, Publication year search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Invoiceno,
   ISBN/EAN/ISSN, Title, Author, Publihser, Publication year search box.
6. Notice it is no longer executed.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 44c25d74b64ed9f125362e9627c7f9bc5635d369)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoices.tt diff | blob | history
Main Koha release repository