The location variable is vulnerable to XSS. Simply add <script>alert(100);</script> to text box and create the event
When do you plan to fix this? This has been openly announced already: http://seclists.org/bugtraq/2012/Jan/128
I can help to create the patch if needed. As this is stored cross site scripting security vulnerability you should fix this as soon as possible. I haven't tested this.
Information about XSS: https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS)
Verified this issue in demo-page and in 1.2.4 installation.
Please find a proposed patch at https://sourceforge.net/tracker/?func=detail&aid=3488543&group_id=3870&atid=303870
The code is now in the REL_1_2 branch and will be included in the 1.2 release.
What is the status of this issue? Is XSS attack fix included in 1.2 release?
FreeBSD has been holding the port update pending this issue.
Log in to post a comment.
When do you plan to fix this? This has been openly announced already: http://seclists.org/bugtraq/2012/Jan/128
I can help to create the patch if needed. As this is stored cross site scripting security vulnerability you should fix this as soon as possible. I haven't tested this.
Information about XSS: https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS)
Verified this issue in demo-page and in 1.2.4 installation.
Please find a proposed patch at https://sourceforge.net/tracker/?func=detail&aid=3488543&group_id=3870&atid=303870
The code is now in the REL_1_2 branch and will be included in the 1.2 release.
What is the status of this issue?
Is XSS attack fix included in 1.2 release?
FreeBSD has been holding the port update pending this issue.