Reflected XSS in user/group bulk CSV upload

Bug #1063480 reported by Hugh Davenport on 2012-10-08
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Hugh Davenport
1.4
High
Hugh Davenport
1.5
High
Hugh Davenport

Bug Description

Affects the bulk user upload, as well as the group and group member CSV uploads.

If the CSV header has unknown fields, these are displayed as an error with no sanatization. This is done through pieforms error
displaying. This means it may affect other areas where pieform errors are returned based on user data.

It affects versions atleast back to 1.2 with the bulk user upload.

CVE References

Hugh Davenport (hugh-davenport) wrote :
Changed in mahara:
status: Triaged → Confirmed
status: Confirmed → In Progress
Melissa Draper (melissa) on 2012-10-10
visibility: private → public
Changed in mahara:
status: In Progress → Fix Released

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 status fixreleased
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iJwEAQECAAYFAlCbHO8ACgkQuMoJ2LQ3zxH8TAP/YN4BiCJZsn5a899/0UzV31Qg
lM8LXAwZWa6zFv6t0BQUHCqe6eFK9wPp51qgCWWXjUZ3vvvVcsyeWp6626aBFKSU
pCQXI9E7huPw802nJQ9WcZXRBUmgw87ww72Tx4mybnu7SPSrkZgXdnPGSMwDs89N
oWvTpl7Xuac48e6p0lU=
=ouU+
-----END PGP SIGNATURE-----

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers