MantisBT: master-2.1 2d55c647

Author Committer Branch Timestamp Parent
dregad dregad master-2.1 2017-03-24 12:02:07 master-2.1 385a13cb
Affected Issues  0022568: CVE-2017-7241: XSS in move_attachments_page.php
Changeset

Fix XSS in move_attachments_page.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Move Attachments admin page, allowing
an attacker to inject arbitrary code through a crafted 'type'
parameter.

Sanitize the 'type' parameter prior to output, to ensure HTML special
characters are properly escaped.

Fixes 0022568

mod - admin/move_attachments_page.php Diff File