canonical-ubuntu-qa team mailing list archive

Thread
Date

[Bug 2046565] Re: XSS in error message display function (problem-not-found)

To: canonical-ubuntu-qa@xxxxxxxxxxxxxxxxxxx
From: Tom Reynolds <2046565@xxxxxxxxxxxxxxxxxx>
Date: Thu, 08 Aug 2024 08:28:25 -0000
Reply-to: Bug 2046565 <2046565@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

It's been ~ 9 months. I can't rule out that other organizations run separate instances of this software and thus need to know about its vulnerabilities, so I'm making this public.
Thanks for the suggested patch, ~alexmurray.

-- 
You received this bug notification because you are a member of Daisy
Pluckers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046565

Title:
  XSS in error message display function (problem-not-found)

Status in Errors:
  New

Bug description:
  https://errors.ubuntu.com/?problem-not-
  found=%3Ciframe%20src=javascript:alert(0)%3E%3C/iframe%3E

  This deployment of the error tracker also lacks security headers such
  as CSP, and imports Yahoo APIs via plain HTTP.

  (Also, TLSv1.0 and v1.1 and many of the currently supported TLSv1.2
  cipher suites ought to be disabled on any production sites nowadays.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/errors/+bug/2046565/+subscriptions