[CKAN-Security] XSS vulnerability in email fields
Jakob.Niggel at continental-corporation.com
Jakob.Niggel at continental-corporation.com
Thu May 18 06:46:49 UTC 2017
Hi Everyone,
we've found a XSS vulnerability in the email fields which are shown when
you create a new dataset. This can be triggered by entering
"><script>alert('foo');</script>in one of the mail fields. When a user
accesses an dataset the alert message will popup.
This is caused by the function webhelpers.html.tools.mail_to on which ckan
relies.
Kind regards
Jakob Niggel
Continental
Corporate IT Infrastructure - Server and Cloud Operations
C IN SC LX
Continental Automotive GmbH
Siemensstrasse 12, 93055 Regensburg, Germany
Telefon/Phone: +49 941 790-4892
E-Mail: Jakob.Niggel at continental-corporation.com
http://www.continental-corporation.com
________________________________________________________________________
Continental Automotive GmbH, Vahrenwalder Str. 9, D-30165 Hannover
Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Helmut
Matschi
Geschaeftsfuehrer/Managing Director: Georg Sistermanns, Harald Stuhlmann
Sitz der Gesellschaft/Registered Office: Hannover
Registergericht/Registered Court: Amtsgericht Hannover, HRB 59424
USt.-ID-Nr./VAT-ID-No. DE814950663
________________________________________________________________________
Proprietary and confidential. Distribution only by express authority of
Continental AG or its subsidiaries. als Mitarbeiter der Continental Automotive GmbH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170518/c9cd5d7c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3679 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170518/c9cd5d7c/attachment.jpe>
More information about the Security
mailing list