[Vtigercrm-developers] XSS Vulneravility
William Cardona
wcardona2000 at yahoo.com
Thu May 18 11:50:51 GMT 2023
Hi Henry Did you resolved XSS, applying smarty's.
Regards
Enviado desde Yahoo Mail para Android
El lun., 15 de may. de 2023 a la(s) 18:08, Henry Cumbicus Rivera<hcumbicusr at gmail.com> escribió: Hello everyone,
one of my clients reported this vulnerability to me in vtiger and apparently it happens in all vtiger, up to the current version 7.5. The solution that worked for me was to apply smarty's "strip_tags" everywhere $smarty.request.view appears like this:
{$smarty.request.view|strip_request}
smarty: https://www.smarty.net/docs/en/language.modifier.strip.tags.tpl
Fix: Mainly in ModuleHeader.tpl files
--
---------------------------------------------------------------Ing. Henry C.Tel.: +51 956727976_______________________________________________
http://www.vtiger.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20230518/b936f157/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 14683 bytes
Desc: not available
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20230518/b936f157/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 51149 bytes
Desc: not available
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20230518/b936f157/attachment-0003.png>
More information about the vtigercrm-developers
mailing list