XSS Security issue on Launchpad CVE Sequence Number
Bug #208327 reported by
Emanuele Gentili
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Critical
|
Gavin Panella |
Bug Description
Launchpad have a security issue on Link to CVE to "CVE Sequence Number" input text.
The problem is in "CVE Sequence Number", because accept and exec "<" ">" this chars.
It's possible solve it to simple php control with str_replace:
$up1 = array ("<" , ">");
and than substitute ${VAR} on submit string.
Fix similar to:
bug #204617
bug #207490
bug #207494
Changed in launchpad: | |
assignee: | nobody → allenap |
importance: | Undecided → Critical |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
visibility: | private → public |
To post a comment you must log in.
In RF 5972