Uploaded image for project: 'CMS'
  1. CMS
  2. CMS-5924

XSS on the page "Unknown browser"

    • Icon: Bug Bug
    • Resolution: Won't Fix
    • Icon: Major Major
    • 4.2.0
    • None
    • None
    • None
    • 3.6M6

      How to reproduce

      • disable the "ignore browser test" in _admin of the back-office
      • access to the back-office with an unknown browser

      Actual behavior

      • A page is displayed with a message to explain that this browser is not compatible
      • the parameter URI is available in the adress bar
      • the parameter is used without any control to create the redirection link on the button to force access, this is an XSS security flaw

          [CMS-5924] XSS on the page "Unknown browser"

          I don't think this is true
          If it was true, any login page (that include redirection) will be a security hole... such as CAS?

          Whatever, in v4 this does not exists anymore

          Raphaël Franchet added a comment - I don't think this is true If it was true, any login page (that include redirection) will be a security hole... such as CAS? Whatever, in v4 this does not exists anymore

            Unassigned Unassigned
            fravetier Frederic Ravetier (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: