U4-485 - XSS scripting exploit in backend

Created by Sebastiaan Janssen 19 Aug 2012, 14:53:28 Updated by Sebastiaan Janssen 19 Apr 2013, 07:00:47

Relates to: U4-2122

If you save the following string "" in the field "name" of a document in the properties tab. This script will be executed every time the document is displayed in the content navigation tree (umbraco 4.7.0).

This can be used to compromise logins of cms users if an hacker manages to get this stored in the database (please note that packages or custom components have access to this field and can present a potential entry point for a hacker).

When could this be solved? And might there a simple solution available that we can use to patch this with?

''Originally created on CodePlex by [CollinM|http://www.codeplex.com/site/users/view/CollinM]'' on 11/14/2011 4:00:02 PM [Codeplex ID: 30580 - Codeplex Votes: 1]

Comments

Priority: Normal

Type: Bug

State: Fixed

Assignee: Shannon Deminick

Difficulty: Normal

Category: Security

Backwards Compatible: True

Fix Submitted:

Affected versions: 4.8.0, 4.9.0, 4.10.0, 4.11.0, 6.0.0, 4.9.1, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 6.0.1, 4.11.5, 6.0.2, 4.11.6, 6.0.3

Due in version: 6.0.4, 4.11.7

Sprint:

Story Points:

Cycle: