Osclass Support Forums

Osclass plugin support => Attributes Plugins => Topic started by: Tango on September 25, 2021, 02:07:01 AM

Title: XSS vulnerability and a Notice
Post by: Tango on September 25, 2021, 02:07:01 AM

Please note that the Attributes Plugin has unsanitized fields leading to possible XSS exploits, as you can see in the attached screenshot.

Also, there's the following notice:

Code: [Select]

PHP Notice:  Undefined index: values in \oc-content\plugins\attributes\functions.php on line 807
Plugin version: 2.4.0
PHP Version: 7.2.34

Hoping for a quick fix.
Thanks!

Title: Re: XSS vulnerability and a Notice
Post by: MB Themes on September 27, 2021, 02:43:13 PM

@Tango
Thank you, will be fixed in next update.

Title: Re: XSS vulnerability and a Notice
Post by: Tango on October 25, 2021, 10:12:29 AM

@Frosticek
Any news on this?

Security issues (big or small) should have top priority, as they can be exploited with devastating consequences...
https://forums.osclasspoint.com/invoice-osclass-plugin/unsanitized-vat-number-fields/
https://forums.osclasspoint.com/user-rating-plugin/xss-vulnerability/

Also, the first rule of secure programming is:
Never Trust User Input :-[
(https://i.imgur.com/PhbIrcj.jpeg)

Thanks!

Title: Re: XSS vulnerability and a Notice
Post by: MB Themes on October 25, 2021, 10:43:17 AM

@Tango
It was fixed some time ago, just was not re-uploaded.
You can find fixes now.