View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0022266||mantisbt||security||public||2017-01-26 21:49||2017-03-22 04:17|
|Target Version||2.1.1||Fixed in Version||2.1.1|
|Summary||0022266: CVE-2017-7222: Sanitize window title|
The config option 'window_title' can include <script>alert(1);</script> or <img> tags and it will be rendered successfully. This is mitigated via:
Having said that, we should run this through sanitization anyway.
I was able to reproduce this on master, but haven't tried on 1.3.x.
|Tags||No tags attached.|
Just noticed this... being a security issue, we need to get a CVE ID assigned. I'll take care of it.
It can't affect 1.3.x, since layout API was introduced in 2.x as part of modern UI.
Issue was introduced in release 2.0.0-beta.1 MantisBT master 6a32ba7f
@dregad Since this is not exploitable because of CSP, is it still considered a security issue? If we still should create CVE, we should make it clear in the description that this would have no effect if CSP is enabled.
Yes. Not only can CSP be disabled, but also some older browsers do not support it.
Absolutely. I always do.
MantisBT: master-2.1 a85b0b96
2017-02-12 18:58:25Details Diff
|Sanitize window title
The window title is not sanitized. That is not an issue when CSP is enable (default),
to set configuration via Manage - Manage Configuration - Configuration Report page.
|mod - core/layout_api.php||Diff File|