We apologize for the instability of composr.app and appreciate your patience. We are working on the statistics addon and trying to find an optimal way to store and render data. Unfortunately, we have yet to find a solution that can handle the traffic (and therefore, tens of millions of statistical records) of composr.app. We're working hard on one.
Topic #4038 (no title)
By Guest,
By Guest,
posted
Image
(Click to enlarge)
#3503 - Persistent XSS
By System,
By System,
posted
This is a spacer post for a website comment topic. The content this topic relates to: #3503 - Persistent XSS
This both is and isn't a security hole. By that I mean I agree it is a security hole, but it is not exploitable.
The Setup Wizard can only be run by a logged in webmaster, and thus no non-privileged user can set this.
Additionally, CSRF protection exists, such as tokens in forms, referrer checking, and session validation, to prevent remote control of this kind of thing.
Regardless, this will be fixed in our next patch release, and I do thank you for your report. We strive to fix all issues, even if we don't believe them to be exploitable.
(Click to enlarge)
#3503 - Persistent XSS
Thanks for the report.
This both is and isn't a security hole. By that I mean I agree it is a security hole, but it is not exploitable.
The Setup Wizard can only be run by a logged in webmaster, and thus no non-privileged user can set this.
Additionally, CSRF protection exists, such as tokens in forms, referrer checking, and session validation, to prevent remote control of this kind of thing.
Regardless, this will be fixed in our next patch release, and I do thank you for your report. We strive to fix all issues, even if we don't believe them to be exploitable.