Topic #4038 (no title)

By Guest, By Guest, posted 27th Jan 2018, 2:11 PM

#3503 - Persistent XSS

By System, By System, posted 28th Jan 2018, 11:05 AM

This is a spacer post for a website comment topic. The content this topic relates to: #3503 - Persistent XSS

By Guest posted 28th Jan 2018, 11:05 AM

Hello,

Thanks for the report.

This both is and isn't a security hole. By that I mean I agree it is a security hole, but it is not exploitable.

The Setup Wizard can only be run by a logged in webmaster, and thus no non-privileged user can set this.

Additionally, CSRF protection exists, such as tokens in forms, referrer checking, and session validation, to prevent remote control of this kind of thing.

Regardless, this will be fixed in our next patch release, and I do thank you for your report. We strive to fix all issues, even if we don't believe them to be exploitable.

0 guests and 0 members have recently viewed this.

PDStig	Points: 225 Voting power: 27.242 Voting power control percentage: 0.385%
Gabri	Points: 70 Voting power: 15.882 Voting power control percentage: 0.224%
Master Rat	Points: 45 Voting power: 12.563 Voting power control percentage: 0.177%

Topic #4038 (no title)

#3503 - Persistent XSS

Leader-board Top Weekly Earners

Coming soon…

Statistics