5.3.0-git
2014-12-18

[#11189] XSS vulnerability in Tasks view
Summary XSS vulnerability in Tasks view
Queue Kronolith
Queue Version Git master
Type Enhancement
State Resolved
Priority 3. High
Owners jan (at) horde (dot) org
Requester ctimoteo (at) sapo (dot) pt
Created 2012-05-10 (952 days ago)
Due
Updated 2012-05-15 (947 days ago)
Assigned
Resolved 2012-05-12 (950 days ago)
Milestone
Patch Yes

History
2012-05-15 17:35:48 Git Commit Comment #4 Reply to this comment
Changes have been made in Git (develop):

commit 1228a6825a8dab3333d0a8c8986fc10d1f3d11b2
Author: Jan Schneider <jan@horde.org>
Date:   Sat May 12 13:32:19 2012 +0200

     Escape content (Bug #11189).

  kronolith/docs/CHANGES    |    2 ++
  kronolith/js/kronolith.js |   10 +++++-----
  kronolith/package.xml     |    2 ++
  3 files changed, 9 insertions(+), 5 deletions(-)

http://git.horde.org/horde-git/-/commit/1228a6825a8dab3333d0a8c8986fc10d1f3d11b2
2012-05-12 11:34:57 Jan Schneider Comment #3
Assigned to Jan Schneider
State ⇒ Resolved
Reply to this comment
In the future, report this to security@horde.org or at least post this 
for "Horde Developers" visible only.
2012-05-12 11:33:53 Git Commit Comment #2 Reply to this comment
Changes have been made in Git (master):

commit 1228a6825a8dab3333d0a8c8986fc10d1f3d11b2
Author: Jan Schneider <jan@horde.org>
Date:   Sat May 12 13:32:19 2012 +0200

     Escape content (Bug #11189).

  kronolith/docs/CHANGES    |    2 ++
  kronolith/js/kronolith.js |   10 +++++-----
  kronolith/package.xml     |    2 ++
  3 files changed, 9 insertions(+), 5 deletions(-)

http://git.horde.org/horde-git/-/commit/1228a6825a8dab3333d0a8c8986fc10d1f3d11b2
2012-05-10 16:09:24 ctimoteo (at) sapo (dot) pt Comment #1
State ⇒ New
New Attachment: kronolith.js.patch.txt Download
Patch ⇒ Yes
Milestone ⇒
Queue ⇒ Kronolith
Summary ⇒ XSS vulnerability in Tasks view
Type ⇒ Enhancement
Priority ⇒ 3. High
Reply to this comment
Hello,

I detected one possible XSS vulnerability in Kronolith,

In the Task view if i create tasks with some javascript code in task 
description,

the javascript code is executed when listing the tasks (or after a toggle),

i provide one patch to solve-it

Goodbye.

--
Carlos Timóteo