[magnolia-dev] [JIRA] (MGNLSTK-1091) Cross Site Scripting Vulnerability (XSS) in pagination

[on behalf of Roman Kovařík]

Roman Kovařík created MGNLSTK-1091 Cross Site Scripting Vulnerability (XSS) in pagination Issue Type: Bug Affects Versions: 1.4.4 Assignee: Roman Kovařík Components: paragraphs Created: 08/Feb/13 1:22 PM Description: The pagination in the STK as used in, among others, the newsoverview and eventoverview is vulnerable to cross site scripting. The hrefs of page hyperlinks contain the original URL with an added currentPage parameter. The original URL can have malicious scripts syntax which will be executed when the page hyperlinks are rendered. An example can be found on the Magnolia demo site's newsoverview page if you define a paging for the newsoverview paragraph: http://demo.magnolia-cms.com/demo-project/news-and-events/news-overview.html?currentPage=2&xss="><script>alert('XSS');</script> A live example is on a website we made: http://www.wetenschap24.nl/nieuws/artikelen.html?currentPage=3&xss="><script>alert('XSS');</script> Fix Versions: 1.4.8, 2.0.5 Project: Magnolia Standard Templating Kit Labels: stk xss Priority: Critical Reporter: Roman Kovařík

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

---

----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: <dev-list-unsubscr...@magnolia-cms.com>
----------------------------------------------------------------