6.0.0-alpha14
6/24/25

[#11189] XSS vulnerability in Tasks view
Summary XSS vulnerability in Tasks view
Queue Kronolith
Queue Version Git master
Type Enhancement
State Resolved
Priority 3. High
Owners jan (at) horde (dot) org
Requester ctimoteo (at) sapo (dot) pt
Created 05/10/2012 (4793 days ago)
Due
Updated 05/15/2012 (4788 days ago)
Assigned
Resolved 05/12/2012 (4791 days ago)
Milestone
Patch Yes

History
05/15/2012 05:35:48 PM Git Commit Comment #4 Reply to this comment
Changes have been made in Git (develop):

commit 1228a6825a8dab3333d0a8c8986fc10d1f3d11b2
Author: Jan Schneider <jan@horde.org>
Date:   Sat May 12 13:32:19 2012 +0200

     Escape content (Bug #11189).

  kronolith/docs/CHANGES    |    2 ++
  kronolith/js/kronolith.js |   10 +++++-----
  kronolith/package.xml     |    2 ++
  3 files changed, 9 insertions(+), 5 deletions(-)

http://git.horde.org/horde-git/-/commit/1228a6825a8dab3333d0a8c8986fc10d1f3d11b2
05/12/2012 11:34:57 AM Jan Schneider Comment #3
Assigned to Jan Schneider
State ⇒ Resolved
Reply to this comment
In the future, report this to security@horde.org or at least post this 
for "Horde Developers" visible only.
05/12/2012 11:33:53 AM Git Commit Comment #2 Reply to this comment
Changes have been made in Git (master):

commit 1228a6825a8dab3333d0a8c8986fc10d1f3d11b2
Author: Jan Schneider <jan@horde.org>
Date:   Sat May 12 13:32:19 2012 +0200

     Escape content (Bug #11189).

  kronolith/docs/CHANGES    |    2 ++
  kronolith/js/kronolith.js |   10 +++++-----
  kronolith/package.xml     |    2 ++
  3 files changed, 9 insertions(+), 5 deletions(-)

http://git.horde.org/horde-git/-/commit/1228a6825a8dab3333d0a8c8986fc10d1f3d11b2
05/10/2012 04:09:24 PM ctimoteo (at) sapo (dot) pt Comment #1
Priority ⇒ 3. High
New Attachment: kronolith.js.patch.txt Download
Patch ⇒ Yes
Milestone ⇒
Queue ⇒ Kronolith
Summary ⇒ XSS vulnerability in Tasks view
Type ⇒ Enhancement
State ⇒ New
Reply to this comment
Hello,

I detected one possible XSS vulnerability in Kronolith,

In the Task view if i create tasks with some javascript code in task 
description,

the javascript code is executed when listing the tasks (or after a toggle),

i provide one patch to solve-it

Goodbye.

--
Carlos Timóteo

Saved Queries