Baikal icon indicating copy to clipboard operation
Baikal copied to clipboard

Published 20 hours ago verified publisher icon sabre-io

Authenticated stored XSS

Open jvoisin opened this issue 8 years ago • 3 comments

It's possible for an admin to issue a self stored XSS by editing the calendar or the address book of a user, on /admin/?/users/calendars/user/XXX/edit/YYY/ and /admin/?/users/addresbooks/user/XXX/edit/YYY/, by setting the data[displayname]variable to something like`.

The impact is pretty low, since one has to be an administrator to edit this variable.

jvoisin avatar Mar 13 '17 20:03 jvoisin

Hey, @jvoisin: You seem pretty familiar with the code base. So may I ask you to contribute your proposed changes as pull-requests? Otherwise, it seems unlikely that any of this will be fixed, after Evert Pot has stopped his efford.

derStephan avatar Apr 19 '17 06:04 derStephan

I'm not familiar at all with the codebase, I just took a glance at it, sorry :/

jvoisin avatar Apr 19 '17 11:04 jvoisin

I just took a glance at it

Oh, measured by the number of issues regarding security created by you, I expected differently.

sorry :/

sorry.

derStephan avatar Apr 19 '17 11:04 derStephan