XSS Vulnerability in AuUploader

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Major
    • 6.5.8, 7.0.5
    • Affects Version/s: 6.5.3
    • Component/s: None
    • Security Level: Jean
    • None

      I don't know how this relates to ZK-1720 and ZK-1961, but in Release 6.5.3 it seems to be still an issue: One of our customers reported a possible security issue. He was able to inject JavaScript code in the SID and UUID parameters sent to the server during uploads. Both parameters seem to be sent back to the client in the Servlets.forward() call without beeing checked against JavaScript code.

            Assignee:
            hanhsu
            Reporter:
            jkraushaar
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: