Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2015-022: XML escape RSSFeed $link parameter

Low (?)
Versions Affected:
3.1.15 and below, 3.2.0
Versions Fixed:
3.1.16, 3.2.1
Release Date:

When RSSLink is created it is given a URL which is rendered via $Link in a template, which is not escaped properly. 
This was resolved by ensuring that $Link is cast to Varchar, which is XML encoded by default in any template.

Common Vulnerability Scoring System (VCSS) Information