Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-20301

XSS in search results address and email fields

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Trivial
          • Resolution: Fixed/Completed
          • Affects Version/s: 4.7.16, 4.6.28
          • Fix Version/s: 4.6.29, 4.7.21
          • Component/s: None
          • Security Level: Security - Published
          • Labels:
            None
          • Versioning Impact:
            Patch (backwards-compatible bug fixes)
          • Documentation Required?:
            None
          • Funding Source:
            Needs Funding
          • Verified?:
            No

            Description

            Steps to reproduce:

            1. Create a new contact
            2. Set Street Address = " onmouseover="alert('XSS');" x="
            3. Perform a search in which the contact is displayed in the results
            4. Hover over the street address and observe that js has been executed

            The email field in the search results screen is affected as well, although it's more difficult to get the exploit into that field because of the input validation (though presumably possible).

              Attachments

                Activity

                  People

                  • Assignee:
                    seanmadsen Sean Madsen
                    Reporter:
                    seamuslee Seamus Lee
                    Authorized Participants:
                    Sean Madsen
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    3 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: