[Vtigercrm-developers] XSS Vulneravility
Henry Cumbicus Rivera
hcumbicusr at gmail.com
Tue May 16 00:03:36 GMT 2023
Hello everyone,
one of my clients reported this vulnerability to me in vtiger and
apparently it happens in all vtiger, up to the current version 7.5. The
solution that worked for me was to apply smarty's "*strip_tags*" everywhere
*$smarty.request.view* appears like this:
*{$smarty.request.view|strip_request}*
smarty: https://www.smarty.net/docs/en/language.modifier.strip.tags.tpl
[image: image.png]
Fix: Mainly in ModuleHeader.tpl files
[image: image.png]
--
---------------------------------------------------------------
Ing. Henry C.
Tel.: +51 956727976
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20230515/1d3b35fa/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 51149 bytes
Desc: not available
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20230515/1d3b35fa/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 14683 bytes
Desc: not available
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20230515/1d3b35fa/attachment-0003.png>
More information about the vtigercrm-developers
mailing list