ID: 6449
Title: Fixed stored XSS using custom host / user attributes
Component: Multisite
Level: 1
Class: Security fix
Version: 1.6.0i1
A user with admin privileges could inject arbitrary JS code into custom
attributes which could then be executed in the context of other users.
Show replies by date