Possible XSS in Arnold
Bug #340542 reported by
John-Magne Bredal
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Network Administration Visualized |
Fix Released
|
High
|
John-Magne Bredal |
Bug Description
It is possible to use the output variable in Arnold to do a XSS for users using Arnold.
Fix attached.
Changed in nav: | |
assignee: | nobody → john-m-bredal |
importance: | Undecided → High |
milestone: | none → v3.5.2 |
status: | New → Confirmed |
Changed in nav: | |
status: | Confirmed → Triaged |
To post a comment you must log in.
Thanks, John-Magne. A more permanent fix, though, would be storing messages in the user's session data, instead of having them in the URL.