Piwigo Bugtracker

Piwigo bug tracker has moved to Github

This bugtracker is kept to provide history on old issues.


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002805Piwigosecuritypublic2012.12.13 10:262012.12.13 11:55
Reporterplg 
Assigned Toplg 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.4.5 
Target Version2.4.6Fixed in Version2.4.6 
Summary0002805: XSS from EXIF/IPTC metadata
DescriptionAn arbitray tag or script may be executed on the user's browser. For example with <script>alert("maker")</script> as EXIF:Make field.

This vulnerability can only be used with user upload (Community) and no validation from the administrators (this is why this is a minor security issue).
TagsNo tags attached.
browserany
Database engine and version
PHP version
Web serverApache 1.3.x
Attached Files

- Relationships
related to 0002899closedplg ability to allow HTML in EXIF/IPTC 

-  Notes
(0006771)
svn (reporter)
2012.12.13 10:27

[Subversion] r19417 by plg on branch 2.4

-----[Subversion commit log]----------------------------------------------------
bug 2805: avoid XSS from EXIF/IPTC
(0006772)
svn (reporter)
2012.12.13 10:33

[Subversion] r19418 by plg on trunk

-----[Subversion commit log]----------------------------------------------------
merge r19417 from branch 2.4 to trunk

bug 2805: avoid XSS from EXIF/IPTC


- Issue History
Date Modified Username Field Change
2012.12.13 10:26 plg New Issue
2012.12.13 10:26 plg Status new => assigned
2012.12.13 10:26 plg Assigned To => plg
2012.12.13 10:26 plg browser => any
2012.12.13 10:26 plg Web server => Apache 1.3.x
2012.12.13 10:27 svn Checkin
2012.12.13 10:27 svn Note Added: 0006771
2012.12.13 10:33 svn Checkin
2012.12.13 10:33 svn Note Added: 0006772
2012.12.13 11:55 plg Status assigned => closed
2012.12.13 11:55 plg Resolution open => fixed
2012.12.13 11:55 plg Fixed in Version => 2.4.6
2013.05.14 10:05 plg Relationship added related to 0002899


Copyright © 2000 - 2016 MantisBT Team
Contact
Powered by Mantis Bugtracker