XSS Vulnerability Report

3 posts by 2 authors in: Forums > CMS Builder
Last Post: August 12   (RSS)

By daniel - August 11

Hi Jeremy,

Thank you for bringing this to our attention!

As a short-term patch, you can update /cmsb/lib/init.php at line 649 from this:

alert(sprintf(t("Updating Program Url to: %s")."<br>\n", $SETTINGS['adminUrl']));

to this:

alert(sprintf(t("Updating Program Url to: %s")."<br>\n", htmlencode($SETTINGS['adminUrl'])));

This should - at a minimum - remove the XSS vulnerability reported, though we'll also be doing a review of some underlying factors and will release this and any additional security fixes in the next version of CMSB.

Let me know if you have any further questions!

Thanks again,

Daniel
Technical Lead
interactivetools.com

By dwellingproductions - August 12

Awesome! Thanks so much! That seems to have done the trick. I'll keep an eye out for future updates as well. Really appreciate it! :-)

All the best,
Jeremy

---------------------------

Dwelling Productions

www.dwellingproductions.com