View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0022266 | mantisbt | security | public | 2017-01-26 21:49 | 2017-03-22 04:17 |
Reporter | vboctor | Assigned To | vboctor | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.0.0-beta.1 | ||||
Target Version | 2.1.1 | Fixed in Version | 2.1.1 | ||
Summary | 0022266: CVE-2017-7222: Sanitize window title | ||||
Description | The config option 'window_title' can include <script>alert(1);</script> or <img> tags and it will be rendered successfully. This is mitigated via:
Having said that, we should run this through sanitization anyway. I was able to reproduce this on master, but haven't tried on 1.3.x. | ||||
Tags | No tags attached. | ||||
Just noticed this... being a security issue, we need to get a CVE ID assigned. I'll take care of it.
It can't affect 1.3.x, since layout API was introduced in 2.x as part of modern UI. Issue was introduced in release 2.0.0-beta.1 MantisBT master 6a32ba7f |
|
@dregad Since this is not exploitable because of CSP, is it still considered a security issue? If we still should create CVE, we should make it clear in the description that this would have no effect if CSP is enabled. |
|
Yes. Not only can CSP be disabled, but also some older browsers do not support it.
Absolutely. I always do. |
|
MantisBT: master-2.1 a85b0b96 2017-02-12 13:58 Details Diff |
Sanitize window title The window title is not sanitized. That is not an issue when CSP is enable (default), but if disabled, it can execute javascript that is set by a user who has access to set configuration via Manage - Manage Configuration - Configuration Report page. Fixes 0022266 |
Affected Issues 0022266 |
|
mod - core/layout_api.php | Diff File |