mahara-contributors team mailing list archive

Thread
Date

[Bug 1377736] Re: XSS Vulnerability adding pages into a collection

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1377736@xxxxxxxxxxxxxxxxxx>
Date: Tue, 21 Oct 2014 03:32:44 -0000
Reply-to: Bug 1377736 <1377736@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Tags added: regression

** Information type changed from Private Security to Public Security

** Changed in: mahara/1.10
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1377736

Title:
  XSS Vulnerability adding pages into a collection

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.10 series:
  Fix Released
Status in Mahara 1.11 series:
  Fix Committed

Bug description:
  Version: master (1.10)
  Platform, browser: any

  Steps to reproduce:

  1. Create a page with the title "<script>alert(1);</script>" without the quote
  2. Create a collection
  3. Add the page into the collection by dragging it.

  You will the the alert pop-up window.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1377736/+subscriptions