XSS ist possible in the admin part of the comments extensions. Reproduce: 1. Post a Comment with say "<script>alert("oh my xss")</script>" 2. Login as admin, goto comments tab 3. you see...
In the frontend, the output is handled correctly. This gives an attacker the possibility to take over an admin account. /simon
signature.asc
Description: PGP signature
_______________________________________________ Radiant mailing list Post: Radiant@radiantcms.org Search: http://radiantcms.org/mailing-list/search/ Site: http://lists.radiantcms.org/mailman/listinfo/radiant