Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2018-16362 - XSS in Manage Repository and Changesets List pages #286

Closed
dregad opened this issue Sep 1, 2018 · 1 comment
Closed

CVE-2018-16362 - XSS in Manage Repository and Changesets List pages #286

dregad opened this issue Sep 1, 2018 · 1 comment
Labels
core security
Milestone
1.5.9

Comments

@dregad
Copy link
Member

dregad commented Sep 1, 2018
edited
Loading

@atrol reported an XSS vulnerability in repo_manage_page.php and list.php

Steps to reproduce:

  1. Create a new repository, set all text fields to <script>alert('XSS');</script>
  2. Save changes, the Manage Repository page executes the code (or reports CSP violations)
  3. Click on Browse to navigate to Changesets page for more code execution.

CVE request pending.
@dregad dregad closed this as completed in bab22fe Sep 1, 2018
dregad added a commit that referenced this issue Sep 1, 2018
@dregad
Fix XSS in repo_manage_page.php and list.php
c216ab2 
Vulnerability on repo_manage_page.php was introduced in v2.0.0-beta.2
(commit 79497dd).

The one on list.php existed since the initial version of the page.

Fixes #286
@dregad dregad changed the title x XSS in Manage Repository and Changesets List pages Sep 1, 2018
@dregad dregad added this to the 1.5.9 milestone Sep 1, 2018
@dregad dregad changed the title XSS in Manage Repository and Changesets List pages CVE-2018-16362.XSS in Manage Repository and Changesets List pages Sep 3, 2018
@dregad dregad changed the title CVE-2018-16362.XSS in Manage Repository and Changesets List pages CVE-2018-16362 - XSS in Manage Repository and Changesets List pages Sep 3, 2018
@dregad
Copy link
Member Author

dregad commented Sep 3, 2018

CVE-2018-16362 assigned

@dregad dregad mentioned this issue Feb 13, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core security
Projects
None yet
Milestone
1.5.9
Development

No branches or pull requests
1 participant
@dregad