Unescaped event and series titles when editing event or series (XSS)
21 views
Skip to first unread message
Lars Kiesow
Jul 10, 2017, 9:14:40 AM7/10/17
to Opencast Security Notices
Unescaped event and series titles when editing event or series in the
administrative user interface may cause arbitrary JavaScript code
injected into event or series titles to be executed by users.
Description
-----------
1. In the AdminUI, create an event or series with title
<script>window.alert('hi')</script>
2. Edit the Event or Series.
Event / Series title is not escaped in the dialog title ("Series -
Title") and the javascript is executed.
Affected Versions
-----------------
This issue should affect all versions of Opencast 2.x
Fix Versions
------------
The issue is fixed in Opencast 3.0 and 2.3.4 (unreleased). A patch
fixing the issue is also attached to this mail.
Credits
-------
This issue has been discovered by Stephen Marquard (University of Cape
Town) and was fixed by Sven Stauber (SWITCH).
administrative user interface may cause arbitrary JavaScript code
injected into event or series titles to be executed by users.
Description
-----------
1. In the AdminUI, create an event or series with title
<script>window.alert('hi')</script>
2. Edit the Event or Series.
Event / Series title is not escaped in the dialog title ("Series -
Title") and the javascript is executed.
Affected Versions
-----------------
This issue should affect all versions of Opencast 2.x
Fix Versions
------------
The issue is fixed in Opencast 3.0 and 2.3.4 (unreleased). A patch
fixing the issue is also attached to this mail.
Credits
-------
This issue has been discovered by Stephen Marquard (University of Cape
Town) and was fixed by Sven Stauber (SWITCH).
Reply all
Reply to author
Forward
0 new messages