This site has been archived and you can no longer log in or post new messages. For up-to-date community resources please visit ezplatform.com

eZ Community » Security Advisories » EZSA-2011-03: Cross site scripting...

EZSA-2011-03: Cross site scripting (XSS) issue in the ezstarrating extension

Publication date : 09/05/2012
Severity : Low
Affected versions : ezstarrating 1.0, 1.1, 1.2, 1.3 (enterprise version not affected)
Resolving versions : ezstarrating 1.0, 1.1, 1.2, 1.3, 1.4

This update fixes a security issue related to cross site scripting (XSS) in the ezstarrating extension.
If id of attribute provided to ezsrServerFunctions::rate() contained a script and the other parameters did not validate, then the injected script would be outputted as is to client, potentially causing the script to be executed depending on the client treating the output as json (normally safe) or javascript (not safe). 

Patch:

https://github.com/ezsystems/ezstarrating/commit/92442b48d37f3cf72d9ffc4e3be1dbc438769b48

A Security Update with the reference EZPSA-2011-003 is available for eZ Publish Enterprise customers.

36 542 Users on board!

Community Project menu

Proudly Developed with from