]> git.koha-community.org Git - koha.git/commit
Bug 14416: Stored XSS vulnerability
authorChris Cormack <chrisc@catalyst.net.nz>
Thu, 18 Jun 2015 23:26:02 +0000 (11:26 +1200)
committerTomas Cohen Arazi <tomascohen@unc.edu.ar>
Mon, 22 Jun 2015 14:00:09 +0000 (11:00 -0300)
commitfb51a4bb0f3ac8b42b53579fe3d6d73d0b3438cd
treeaf214e30c43a42521201f371a7da8f2ec5b27e3e
parent703a928b9d81e974d56c306cd0bee3670f243c55
Bug 14416: Stored XSS vulnerability

opac-addbybiblionumber.pl is also vulnerable because it doesn't escape
list names.

To test
1/ Create a malicious list name
2/ Try to add a biblio to the lists
3/ Notice js is excuted
4/ Apply patch
5/ Test again

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-addbybiblionumber.tt