ID: 2389
Title: Fixed XSS using the _body_class parameter of views
Component: Multisite
Level: 1
Class: Security Fix
Version: 1.2.7i3
It was possible to use the _body_class parameter of the status GUI views
to inject HTML/Javascript code into the pages.
The _body_class parameter, which was only used for internal purposes, has
totally been removed now.
Show replies by date