Network Administration Visualized

Possible XSS in Arnold

Bug #340542 reported by John-Magne Bredal
254
Affects Status Importance Assigned to Milestone
Network Administration Visualized
Fix Released
High
John-Magne Bredal
Network Administration Visualized v3.5.2

Bug Description

It is possible to use the output variable in Arnold to do a XSS for users using Arnold.

Fix attached.

Revision history for this message
John-Magne Bredal (john-m-bredal) wrote :
Revision history for this message
Morten Brekkevold (mbrekkevold) wrote :

Thanks, John-Magne. A more permanent fix, though, would be storing messages in the user's session data, instead of having them in the URL.

Morten Brekkevold (mbrekkevold)
Changed in nav:
assignee: nobody → john-m-bredal
importance: Undecided → High
milestone: none → v3.5.2
status: New → Confirmed
Morten Brekkevold (mbrekkevold)
Changed in nav:
status: Confirmed → Triaged
Revision history for this message
Morten Brekkevold (mbrekkevold) wrote :

Fix committed and pushed to series/3.5.x: http://metanav.uninett.no/hg/series/3.5.x/rev/be777da2c33a

Changed in nav:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.