Bug #34950 | XSS vulnerability on "display name" field | ||
---|---|---|---|
Submitted: | 29 Feb 2008 3:28 | Modified: | 3 Mar 2008 20:13 |
Reporter: | Diego Medina | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Websites: MySQLForge | Severity: | S1 (Critical) |
Version: | forge1.mysql.com | OS: | Any |
Assigned to: | Valeriy Kravchuk | CPU Architecture: | Any |
Tags: | forge, XSS |
[29 Feb 2008 3:28]
Diego Medina
[29 Feb 2008 3:56]
Diego Medina
the "website" field is also vulnerable (I updated the same page so that you can see)
[29 Feb 2008 4:31]
Valeriy Kravchuk
Thank you for a bug report. Verified just as described.
[3 Mar 2008 15:18]
Jay Pipes
Checked and escaped missing outputs in templates/nav.tpl and templates/people/person.tpl Revisions r364-5 have fixes.
[3 Mar 2008 20:01]
Diego Medina
the Project title has the same issue, check http://forge1.mysql.com/projects/project.php?id=260
[3 Mar 2008 20:13]
Jay Pipes
hi Diego! Please enter a new bug for this as it is a different area of the application. I'm going to close this one. Thanks much for all your tremendous help! -jay