View Issue Details

IDProjectCategoryView StatusLast Update
14634Bug reports[All Projects] Securitypublic2019-04-02 16:39
Reportermarkusfluer Assigned ToDenisChenu  
PrioritynoneSeveritymajor 
Status closedResolutionfixed 
Product Version3.16.x 
Target VersionFixed in Version3.17.x 
Summary14634: XSS Attack Vector - KCFinder
Description

KCFinder has an open attack vector by get request:

https://<domain>/third_party/kcfinder/upload.php?&CKEditorFuncNum=1-alert(1),2,3);}else{alert(document.domain);}if(true){//

TagsNo tags attached.
Complete LimeSurvey version number (& build)3.16.0
I will donate to the project if issue is resolvedNo
Browser
Database & DB-Versionirrevelant
Server OS (if known)
Webserver software & version (if known)
PHP Versionirrevelant

Activities

DenisChenu

DenisChenu

2019-03-22 18:58

developer   ~51100

I have js alert : unknow error with this link

DenisChenu

DenisChenu

2019-03-25 08:38

developer   ~51114

https://github.com/LimeSurvey/LimeSurvey/commit/79ae17251261f2f21ec10e750a56da1ae22fb0fa

Issue History

Date Modified Username Field Change
2019-03-12 13:50 markusfluer New Issue
2019-03-22 16:00 DenisChenu View Status public => private
2019-03-22 18:58 DenisChenu Note Added: 51100
2019-03-23 09:25 DenisChenu Assigned To => DenisChenu
2019-03-23 09:25 DenisChenu Status new => assigned
2019-03-25 08:38 DenisChenu Status assigned => resolved
2019-03-25 08:38 DenisChenu Resolution open => fixed
2019-03-25 08:38 DenisChenu Note Added: 51114
2019-03-25 08:38 DenisChenu View Status private => public
2019-03-25 08:41 DenisChenu Fixed in Version => 3.16.x
2019-04-02 16:39 ollehar Status resolved => closed
2019-04-02 16:39 ollehar Fixed in Version 3.16.x => 3.17.x