Bug #11859

Updated by Dominic Cleal about 5 years ago

We allow storage of key/value parameters globally or assigned to various objects, and using a tickbox in the UI the values can be hidden to mask them from casual viewing. The tickbox that hides/shows the value fails to handle HTML properly and so is vulnerable to an XSS issue where HTML can be stored in a parameter, and executed by another user if they later tick the hide/show box.

An example on the global parameters form is:

"><script>alert("hi")</script><b c="

Store this in a parameter value, reload the page and click the "Hidden value" checkbox and the JavaScript will execute. The reverse is probably possible too.

CVE identifier requested via