[Koha-bugs] [Bug 6632] New: [security] XXS on list name (on admin part)
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Jul 26 11:28:52 CEST 2011
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6632
Bug #: 6632
Summary: [security] XXS on list name (on admin part)
Classification: Unclassified
Change sponsored?: ---
Product: Koha
Version: rel_3_4
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P5
Component: Templates
AssignedTo: oleonard at myacpl.org
ReportedBy: semarie-koha at latrappe.fr
QAContact: koha-bugs at lists.koha-community.org
There are 3 XXS on the lists detail page, for the shelve name parameter, on the
staff part.
In order to test:
1. on opac, create a new list named 'a <blink>simple</blink> list'
2. log as admin on staff part.
3. go to Lists
4. select the list named 'a <blink>simple</blink> list' (no XXS here)
5. the 'simple' word *blink* on 3 places
The issue is mitigated by the fact that the list of Shelve display the code,
and the admin should see it before trigger the XSS.
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
More information about the Koha-bugs
mailing list