dotclear 2.8.1: XSSDate: 2015-11-13 11:38:15
|Affected Product:||dotclear 2.8.1|
|Fixed Version Link:||http://download.dotclear.org/latest.zip|
|Reported to vendor:||10/02/2015|
|Disclosed to public:||11/13/2015|
|Release mode:||Coordinated release|
|Credits||Tim Coen of curesec GmbH|
Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
The Comment author name is echoed inside the value attribute of an input tag when viewing the list of all comments for that author. Quotes are not encoded, which allows for the addition of further attributes to the tag.
The field is hidden, so onfocus or similar do not work, and the length of the name is limited, which makes an actual exploitation unlikely. Still, with older browser an attacker might try to inject a style attribute which may lead to XSS.
3. Proof of Concept
To mitigate this issue please upgrade at least to version 2.8.2:
Please note that a newer version might already be available.
5. Report Timeline
|10/25/2015||Vendor releases fix|
|11/13/2015||Disclosed to public|