View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0004202 | Composr non-bundled addons | [All Projects] General / Uncategorised | public | 2020-04-18 01:59 | 2020-04-18 01:59 |
| Reporter | Chris Graham | Assigned To | Chris Graham | ||
| Severity | Security-hole | ||||
| Status | resolved | Resolution | fixed | ||
| Summary | 0004202: XSS hole in non-bundled image_slider addon | ||||
| Description | The image_slider addon does not escape image titles or URLs properly. If the slider is being used with user-submitted content, this presents a security hole, if the user was not subject to the JavaScript filter on POST data (by having the "Avoid broad input filtering security layer" privilege or somehow otherwise defeating the filter). | ||||
| Tags | No tags attached. | ||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
|
|
Fixed in git commit 755a7480e (https://gitlab.com/composr-foundation/composr/commit/755a7480e - link will become active once code pushed to GitLab) A hotfix (a TAR of files to upload) has been uploaded to this issue. These files are made to the latest intra-version state (i.e. may roll in earlier fixes too if made to the same files) - so only upload files newer than what you have already. If there are files in a hot-fix that you don't have then they probably relate to addons that you don't have installed and should be skipped. Always take backups of files you are replacing or keep a copy of the manual installer for your version, and only apply fixes you need. These hotfixes are not necessarily reliable or well supported. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/). hotfix-4202, 2020-04-18 1am.tar (2,560 bytes) |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-02-26 18:29 | Chris Graham | Category | General => General / Uncategorised |
