View Issue Details

IDProjectCategoryView StatusLast Update
0004157Composrcore_cnspublic2020-02-28 17:20
ReporterChris GrahamAssigned ToChris Graham 
SeveritySecurity-hole 
Status resolvedResolutionfixed 
Product Version10.0.30 
Fixed in Version10.0.31 
Summary0004157: XSS if showing topics via main_multi_content block
DescriptionIf you use the main_multi_content block to show topics, there's an XSS vulnerability with the topic summary field.

I'm not aware of any site using main_multi_content like this - as conceivably all sites would be using the main_forum_topics block instead. The issue came up in testing changes in v11.
TagsNo tags attached.
Attach Tags
Time estimation (hours)
Sponsorship open

Activities

admin

2020-02-28 17:20

administrator   ~0006457

Fixed in git commit 5c3362786 (https://gitlab.com/composr-foundation/composr/commit/5c3362786 - link will become active once code pushed to GitLab)

A hotfix (a TAR of files to upload) has been uploaded to this issue. These files are made to the latest intra-version state (i.e. may roll in earlier fixes too if made to the same files) - so only upload files newer than what you have already. If there are files in a hot-fix that you don't have then they probably relate to addons that you don't have installed and should be skipped. Always take backups of files you are replacing or keep a copy of the manual installer for your version, and only apply fixes you need. These hotfixes are not necessarily reliable or well supported. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/).

hotfix-4157, 2020-02-28 5pm.tar (15,360 bytes)

Issue History

Date Modified Username Field Change