[Vtigercrm-developers] XSS Vulneravility
Prasad
prasad at vtiger.com
Fri Jul 21 14:27:03 GMT 2023
Thank you Henry - we have a refactored fix.
Please refer https://code.vtiger.com/vtiger/vtigercrm/-/issues/1776
Have a good weekend.
On Tue, May 16, 2023 at 5:37 AM Henry Cumbicus Rivera <hcumbicusr at gmail.com>
wrote:
> Hello everyone,
> one of my clients reported this vulnerability to me in vtiger and
> apparently it happens in all vtiger, up to the current version 7.5. The
> solution that worked for me was to apply smarty's "*strip_tags*"
> everywhere *$smarty.request.view* appears like this:
> *{$smarty.request.view|strip_request}*
>
> smarty: https://www.smarty.net/docs/en/language.modifier.strip.tags.tpl
>
> [image: image.png]
>
>
>
> Fix: Mainly in ModuleHeader.tpl files
> [image: image.png]
>
>
>
> --
>
> ---------------------------------------------------------------
> Ing. Henry C.
> Tel.: +51 956727976
> _______________________________________________
> http://www.vtiger.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20230721/f5da5067/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 51149 bytes
Desc: not available
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20230721/f5da5067/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 14683 bytes
Desc: not available
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20230721/f5da5067/attachment-0003.png>
More information about the vtigercrm-developers
mailing list