Reflected XSS in user/group bulk CSV upload
Bug #1063480 reported by
Hugh Davenport
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mahara |
Fix Released
|
High
|
Hugh Davenport | ||
| 1.4 |
Fix Released
|
High
|
Hugh Davenport | ||
| 1.5 |
Fix Released
|
High
|
Hugh Davenport | ||
Bug Description
Affects the bulk user upload, as well as the group and group member CSV uploads.
If the CSV header has unknown fields, these are displayed as an error with no sanatization. This is done through pieforms error
displaying. This means it may affect other areas where pieform errors are returned based on user data.
It affects versions atleast back to 1.2 with the bulk user upload.
CVE References
Revision history for this message
| Hugh Davenport (hugh-davenport) wrote | #1 |
| Changed in mahara: | |
| status: | Triaged → Confirmed |
| status: | Confirmed → In Progress |
| visibility: | private → public |
| Changed in mahara: | |
| status: | In Progress → Fix Released |
Revision history for this message
| Hugh Davenport (hugh-davenport) wrote | #2 |
To post a comment you must log in.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
status fixreleased
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://
iJwEAQECAAYFAlC
lM8LXAwZWa6zFv6
pCQXI9E7huPw802
oWvTpl7Xuac48e6
=ouU+
-----END PGP SIGNATURE-----