xpra icon
Bug tracker and wiki

This bug tracker and wiki are being discontinued
please use https://github.com/Xpra-org/xpra instead.


Opened 12 months ago

Closed 12 months ago

Last modified 3 months ago

#2724 closed defect (fixed)

XSS vulnerability in xpra HTML5 client

Reported by: flx Owned by: Antoine Martin
Priority: critical Milestone: 4.0
Component: html5 Version: trunk
Keywords: Cc:

Description

Hello,

we found a very simple XSS voulnerability in the xpra HTML5 client.
Demo: https://xpra.org/html5/connect.html?disconnect=%3Cimg%20src=x%20onerror=alert(%27hello%27);%3E

Patch file is attached.

Cheers!

Attachments (1)

connect.html-diff (596 bytes) - added by flx 12 months ago.

Download all attachments as: .zip

Change History (4)

Changed 12 months ago by flx

Attachment: connect.html-diff added

comment:1 Changed 12 months ago by Antoine Martin

Resolution: fixed
Status: newclosed

Thanks, applied in r26077.

comment:2 Changed 12 months ago by flx

Summary: XSS voulnerability in xpra HTML5 clientXSS vulnerability in xpra HTML5 client

comment:3 Changed 3 months ago by migration script

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2724

Note: See TracTickets for help on using tickets.