MantisBT: master-1.3.x d31841c8

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master-1.3.x 2017-03-24 08:02 master-1.3.x ec7c8146
Affected Issues  0022568: CVE-2017-7241: XSS in move_attachments_page.php
Changeset

Fix XSS in move_attachments_page.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Move Attachments admin page, allowing
an attacker to inject arbitrary code through a crafted 'type'
parameter.

Sanitize the 'type' parameter prior to output, to ensure HTML special
characters are properly escaped.

Fixes 0022568

Backported from 2.2.x ecef0e9b523a460709e8feedfce72f05bb30b992
Conflicts:
admin/move_attachments_page.php
mod - admin/move_attachments_page.php Diff File