I'am thiking about use CMSMS for some sites but I read one 'XSS Vulnerability' in 1.0.2 version on http://securityreason.com/exploitalert/1442. Is a real exploit?
TIA
Ramon
Is that XSS Vulnerability true?
-
bertmelis
Re: Is that XSS Vulnerability true?
I have tried it, and the "hack" doesn't work.
Maybe this security flaw was found on a customized install???
Maybe this security flaw was found on a customized install???
Re: Is that XSS Vulnerability true?
Honestly, I thought we handled all of this before 1.0 came out. There are possibly some other places inside the admin where you can get an XSS, but they're behind a login already. The login page should be handling fitlering out any javascript.... SHOULD.
If proven that it's possible (2 people now say it doesn't work), then we'll fix it and get a 1.0.3 out. It's an issue but it's not a life threatening problem.
If proven that it's possible (2 people now say it doesn't work), then we'll fix it and get a 1.0.3 out. It's an issue but it's not a life threatening problem.
Re: Is that XSS Vulnerability true?
We've decided to release a 1.0.3 in the next couple of days. We just got to thinking of other places where we should do better sanitizing of input and will do that. Plus, there was a slew of fixes in svn just waiting to go out anyway... Now is as good a time as any.
