View Issue Details

IDProjectCategoryView StatusLast Update
14765Bug reports[All Projects] Securitypublic2019-04-30 09:13
ReporterbewiAssigned Top_teichmann 
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version3.17.x 
Target VersionFixed in Version3.17.x 
Summary14765: Persistent XSS for Menu Entries
Description

fields 'title' and 'link' are not secured and execute HTML code if shown in list

Steps To Reproduce

create a new menu-entry with payload <script>alert('menu entries->fieldname');</script> in the fields 'title' and 'link', then change to page in listing, where this entry is shown

TagsNo tags attached.
Complete LimeSurvey version number (& build)Version 3.17.1+190408
I will donate to the project if issue is resolvedNo
BrowserFF
Database & DB-Versionmysql
Server OS (if known)*
Webserver software & version (if known)*
PHP Version7.2

Activities

bewi

bewi

2019-04-10 15:48

reporter  

c_schmitz

c_schmitz

2019-04-30 09:13

administrator   ~51679

Fixed in version 3.17.3

Issue History

Date Modified Username Field Change
2019-04-10 15:48 bewi New Issue
2019-04-10 15:48 bewi File Added: LimeSurvey - 11 - menu entry.png
2019-04-16 15:26 p_teichmann Assigned To => p_teichmann
2019-04-16 15:26 p_teichmann Status new => assigned
2019-04-16 17:18 p_teichmann Status assigned => resolved
2019-04-16 17:18 p_teichmann Resolution open => fixed
2019-04-16 17:18 p_teichmann Fixed in Version => 3.17.x
2019-04-30 09:13 c_schmitz Note Added: 51679
2019-04-30 09:13 c_schmitz Status resolved => closed