Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-31297

Persistent XSS in user preferences

    XMLWordPrintable

    Details

    • Sprint:
      [3.0] - Sprint 20

      Description

      One can inject JS in the user language setting /admin/user/settings/update/language by modifying the request. This is stored, and executed for the same user. Afaik it cannot be triggered by other users, so isn't exploitable, and not really a security issue. This may also apply to timezone, and other preferences values.

      The data should ideally be washed against a whitelist of approved values, given by the content of the dropdowns. If not, it should at least be filtered against injections, and washed on output (for any existing injections already in the DB).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              gunnstein.lye@ez.no Gunnstein Lye
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: