Ticket #316 (closed defect: fixed)

Opened 5 years ago

Last modified 5 years ago

XSS injection vulnerability in search form

Reported by: russ Assigned to: stevec
Priority: high Milestone:
Component: ambra Version:
Keywords: xss security Cc:
Blocking: Blocked By:

Description

an encoded script tag in the search form is executed by the browser.

http://www.plosone.org/search/simpleSearch.action?query=%3Cscript%3Ealert%280%29%3C%2Fscript%3E&x=0&y=0

Dependency Graph

Change History

03/26/07 10:56:04 changed by stevec

  • status changed from new to closed.
  • resolution set to fixed.

Given that this information is never saved, the vulnerability that exists is if the link is sent by someone and clicked by the recipient, rather than someone randomly browsing on the site, though if the user included the link in a comment, and someone clicked on it, it would still be a problem. At any rate, it's been addressed in [2472]

08/07/07 16:25:51 changed by

  • milestone deleted.

Milestone Bugs deleted