https://bugzilla.wikimedia.org/show_bug.cgi?id=22622
--- Comment #56 from Jérémie Roquet <[email protected]> --- (In reply to comment #54) > (In reply to comment #53) > > (In reply to comment #48) > > > Has the javascript injection been fixed? (cf comment 32) > > > > > > That seems pretty critical to me. > > > > I concur with this: remember that there's a lot of *confidential* > > information > > on OTRS. It's not acceptable to have almost every single user account > > hijackable, no matter what rights they have, with a single email using an > > exploit that is easily available and ready to use on the Internet. > > JFI: Here would be a hot fix. > > https://bugzilla.wikimedia.org/show_bug.cgi?id=22622#c28 Thanks Martin. > > PS: If you have "rich text" disabled, you are save. Do you use currently > "rich text" in your system? It seems we don't. Does it mean that we are immune against any security issue involving XSS like CVE-2012-4600 and CVE-2012-4751 ? Thanks again, -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
