Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-2056

XSS Vulnerability in AuUploader

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.5.3
    • Fix Version/s: 6.5.8, 7.0.5
    • Component/s: None
    • Security Level: Jean
    • Labels:

      Description

      I don't know how this relates to ZK-1720 and ZK-1961, but in Release 6.5.3 it seems to be still an issue: One of our customers reported a possible security issue. He was able to inject JavaScript code in the SID and UUID parameters sent to the server during uploads. Both parameters seem to be sent back to the client in the Servlets.forward() call without beeing checked against JavaScript code.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              hanhsu hanhsu
              Reporter:
              jkraushaar jkraushaar
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: