oss-sec mailing list archives

XSS in CollectiveAccess 1.3 and earlier

From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Mon, 04 Nov 2013 13:32:42 -0500

There was a cross-site scripting (XSS) vulnerability inCollectiveAccess, a web-based archive cataloging system written in PHP.


CollectiveAccess 1.3.1 was released including this fix.

http://www.collectiveaccess.org/news/collectiveaccess-version-1-3-1-released/

The issue was reported at:

 http://clangers.collectiveaccess.org/jira/browse/PROV-638

 (the PROV-638 ticket may not be accessible to the public)

The changeset fixing it is:

https://github.com/collectiveaccess/providence/commit/b54e01419966c8d8f23db532caad91304c977776

Regards,

        --dkg

Current thread:

XSS in CollectiveAccess 1.3 and earlier Daniel Kahn Gillmor (Nov 04)
- Re: XSS in CollectiveAccess 1.3 and earlier Kurt Seifried (Nov 04)