http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6632
Bug #: 6632
Summary: [security] XXS on list name (on admin part)
Classification: Unclassified
Change sponsored?: ---
Product: Koha
Version: rel_3_4
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P5
Component: Templates
AssignedTo: [email protected]
ReportedBy: [email protected]
QAContact: [email protected]
There are 3 XXS on the lists detail page, for the shelve name parameter, on the
staff part.
In order to test:
1. on opac, create a new list named 'a <blink>simple</blink> list'
2. log as admin on staff part.
3. go to Lists
4. select the list named 'a <blink>simple</blink> list' (no XXS here)
5. the 'simple' word *blink* on 3 places
The issue is mitigated by the fact that the list of Shelve display the code,
and the admin should see it before trigger the XSS.
--
Configure bugmail:
http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
_______________________________________________
Koha-bugs mailing list
[email protected]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
