[CRM-20301] XSS in search results address and email fields - CiviCRM Issue Tracker

Details

Type: Bug
Status: Done/Fixed
Priority: Trivial
Resolution: Fixed/Completed
Affects Version/s: 4.7.16, 4.6.28
Fix Version/s: 4.6.29, 4.7.21
Component/s: None
Security Level: Security - Published
Labels:
None

Versioning Impact:
Patch (backwards-compatible bug fixes)
Documentation Required?:
None
Funding Source:
Needs Funding
Verified?:
No

Description

Steps to reproduce:

Create a new contact
Set Street Address = " onmouseover="alert('XSS');" x="
Perform a search in which the contact is displayed in the results
Hover over the street address and observe that js has been executed

The email field in the search results screen is affected as well, although it's more difficult to get the exploit into that field because of the input validation (though presumably possible).

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

steps-to-reproduce-01.png
2017-03-18 4:51
33 kB
Sean Madsen
steps-to-reproduce-02.gif
2017-03-18 4:51
71 kB
Sean Madsen

Activity

[CRM-20301] XSS in search results address and email fields

Sean Madsen added a comment - 2017-03-18 5:25

Proposed fix is here:
https://github.com/civicrm/civicrm-core/compare/master...seanmadsen:CRM-20301?expand=1

Seamus Lee added a comment - 2017-05-18 22:28

I have tested Sean's proposed fix and it works and solves the issue

Mark Hanna added a comment - 2017-05-24 2:39

Backport of fix for 4.6 PR: https://github.com/civicrm/civicrm-core/pull/10410

People

Assignee:

Sean Madsen

Reporter:

Seamus Lee

Authorized Participants:

Sean Madsen

Dates

Created:

2017-03-18 4:49

Updated:

2017-07-07 21:50

Resolved:

2017-05-19 2:47