Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2014-011: Folder filename injection

Severity:
Low (?)
Identifier:
SS-2014-011
Versions Affected:
3.0.10, 3.1.4, master
Versions Fixed:
3.0.11, 3.1.5, master
Release Date:
2014-05-07

When editing files and assets in the CMS it was possible to rename a folder using invalid characters, allowing the resulting filename to be injected directly into the HTML of the page. Although the folder itself would have these invalid characters stripped, the `Title` field of folders would not be cleaned using the same method.

The fix to this issue is to ensure that the Name and Title of Folder objects are now both correctly cleaned of invalid characters.