[Vtigercrm-developers] XSS Vulneravility
ITOTS Support
support at itcloudsec.com
Fri Jul 21 19:24:18 GMT 2023
Where can I get a container version of vTiger 7.5.
Todd
On 7/21/23 10:27, Prasad wrote:
> Thank you Henry - we have a refactored fix.
> Please refer https://code.vtiger.com/vtiger/vtigercrm/-/issues/1776
>
> Have a good weekend.
>
> On Tue, May 16, 2023 at 5:37 AM Henry Cumbicus Rivera
> <hcumbicusr at gmail.com> wrote:
>
> Hello everyone,
> one of my clients reported this vulnerability to me in vtiger and
> apparently it happens in all vtiger, up to the current version
> 7.5. The solution that worked for me was to apply smarty's
> "*strip_tags*" everywhere *$smarty.request.view* appears like this:
> *{$smarty.request.view|strip_request}*
>
> smarty:
> https://www.smarty.net/docs/en/language.modifier.strip.tags.tpl
>
> image.png
>
>
>
> Fix: Mainly in ModuleHeader.tpl files
> image.png
>
>
>
> --
>
> ---------------------------------------------------------------
> Ing. Henry C.
> Tel.: +51 956727976
> _______________________________________________
> http://www.vtiger.com/
>
>
> _______________________________________________
> http://www.vtiger.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20230721/295d7696/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 51149 bytes
Desc: not available
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20230721/295d7696/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 14683 bytes
Desc: not available
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20230721/295d7696/attachment-0003.png>
More information about the vtigercrm-developers
mailing list