Hi, On Fri, Jan 15, 2016 at 2:26 PM, Andy Bradford <amb-fos...@bradfords.org> wrote: > Thus said Richard Hipp on Fri, 15 Jan 2016 07:46:17 -0500: > >> I received email alerting me to the following: >> https://www.xssposed.org/incidents/124372/ > > There are free tools that could be run to check their claims... > > These folks might have one: > > https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 > > Andy > -- > TAI64 timestamp: 4000000056996424 > > > _______________________________________________ > fossil-dev mailing list > fossil-dev@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/fossil-dev
Sorry to resurrect an old post, but the site mentioned in the original post has disclosed the vulnerability. I was just notified by the security team at the university I work at (Boise State) that my fossil server is vulnerable to this XSS attack. I'm no security expert, but it seems to be legit. It was independently verified by a service my university subscribes to. -- Kyle _______________________________________________ fossil-dev mailing list fossil-dev@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/fossil-dev