Developers Reported by:

Opened 3 months ago

Edgewall Software

Component: highest View Tickets Search:
Priority: Version:  |  tsewen
Review Stage: Discuss Severity: Roadmap
critical nobody 0.9.1 Cc:
1 Ticket Navigation By
attachment Description

unreviewed

all files that are not images instead of just files with application/octet-stream MIME types, as done in Elgg 1.0.

A user can upload an HTML file containing JavaScript. When another user downloads the script comes from the file, the same domain, an XSS vulnerability. for script is run as if the Patch included simply sets content disposition to attachment

Milestone:

View all communities http://szgy.org/ Login Graz Technical Institute
vulnerability. Sets Content-Disposition header for Fix for vulnerability. Sets Content-Disposition header to attachment to attachment

Elgg theming

tsewen by Visit the Trac open source project at

  • Specialised on 09/04/08 01:10:12. tsewen

Fix

0.9.2