From a61c38bda5bc77e74477f7e9e42cc10c2082adaa Mon Sep 17 00:00:00 2001 From: Damien Regad Date: Thu, 15 Aug 2019 10:53:18 +0200 Subject: [PATCH] Fix XSS on timeline (CVE-2019-xxxx) Kamran Saifullah reported a stored cross-site scripting (XSS) vulnerability in Timeline, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. The code is executed for any user having visibility to the issue, whenever My View Page is displayed. Prevent the attack by sanitizing the filename before display. Fixes #25995 --- core/classes/IssueAttachmentTimelineEvent.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/classes/IssueAttachmentTimelineEvent.class.php b/core/classes/IssueAttachmentTimelineEvent.class.php index 8e0425df4..2a6123d87 100644 --- a/core/classes/IssueAttachmentTimelineEvent.class.php +++ b/core/classes/IssueAttachmentTimelineEvent.class.php @@ -73,7 +73,7 @@ class IssueAttachmentTimelineEvent extends TimelineEvent { . sprintf( lang_get( $t_string ), prepare_user_name( $this->user_id ), $t_bug_link, - $this->filename + string_html_specialchars( $this->filename ) ) . ''; $t_html .= $this->html_end(); -- 2.19.1.windows.1