[MAGNOLIA-3589] Cross-site scripting vulnerabilities in the AdminCentral Created: 08/Mar/11  Updated: 13/Dec/11  Resolved: 13/Apr/11

Status: Closed
Project: Magnolia
Component/s: admininterface, security
Affects Version/s: None
Fix Version/s: 4.3.9, 4.4.3, 4.5

Type: Bug Priority: Critical
Reporter: Philipp Bärfuss Assignee: Ondrej Chytil
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

We mainly tested and fixed XSS issues in the templates of Magnolia (STK) as they are served to the public. Now we got a report listing all potential XSS vulnerabilities in the AdminCentral. This is less critical as a user has to be logged in before such an attack could happen. Nonetheless the issues should get removed.

see the private report at: SUPPORT-915



 Comments   
Comment by Tobias Mattsson [ 11/Apr/11 ]

Is ?js_string the correct escaping given the context of where the value is used. Wouldn't ?html be a better choice?

<input type="hidden" name="groupBy" value="${this.groupBy?js_string}"/>

Comment by Ondrej Chytil [ 13/Apr/11 ]

Change of escape built-in.

Generated at Mon Feb 12 03:47:54 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.