MantisBT: master-2.2 ecef0e9b

Author Committer Branch Timestamp Parent
dregad dregad master-2.2 2017-03-24 08:02 master-2.2 c83fe546
Affected Issues  0022568: CVE-2017-7241: XSS in move_attachments_page.php
Changeset

Fix XSS in move_attachments_page.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Move Attachments admin page, allowing
an attacker to inject arbitrary code through a crafted 'type'
parameter.

Sanitize the 'type' parameter prior to output, to ensure HTML special
characters are properly escaped.

Fixes 0022568

mod - admin/move_attachments_page.php Diff File