• Dave Cridland's avatar
    OF-836 CVE-2015-6972 XSS in external-components · b44bf488
    Dave Cridland authored
    The subdomain parameter in external-components-settings.jsp was reflected
    in both cases in the deletion URI as an unencoded parameter.
    
    Originally discovered by Simon Waters, then this case found by Florian
    Nivette of Sysdream.
    
    Fix is twofold:
    
    * The parameter is now encoded on output, the deletion URI is now set using
    the JSP tags instead of string construction.
    * The subdomain parameter is validated on input, making it difficult to inject
    script elements etc.
    b44bf488
connection-settings-external-components.jsp 21.4 KB