MantisBT: master-2.15 4efac90e

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad atrol master-2.15 2018-07-04 05:29 master ee30e00a
Affected Issues  0024580: CVE-2018-13055: Reflected XSS in view filters page
Changeset

Fix XSS in filter_form_draw_inputs() (CVE-2018-13055)

Ömer Çıtak, Security Researcher at Netsparker, reported this
vulnerability, allowing remote attackers to inject arbitrary code
(if CSP settings permit it) through a crafted PATH_INFO on
view_filters_page.php.

Prevent the attack by sanitizing the output of $_SERVER['PHP_SELF']
before display.

Fixes 0024580
mod - core/filter_form_api.php Diff File