Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2013-008: XSS in form validation errors

Severity:
Low (?)
Identifier:
SS-2013-008
Versions Affected:
3.0.6,3.1.0
Versions Fixed:
3.0.7,3.1.0-rc3
Release Date:
2013-09-24

The CMS allows for user feedback through custom messages generated by form or form field validation. If these messages incorporate user-provided data such as quoting a wrongly formatted value, it can lead to cross-site scripting. Usually validation messages prevent form saving, so the malicious input is usually not persisted, nor accessible for other users. But since Form->sessionMessage() can also be used to pass success messages to the user, this can lead to persisted malicious input in rare cases where stored data is used to compose this message.

Form and form field messages are assumed to be plain text, and escaped by default. 

Reported by Vulnerability Laboratory Evolution