Affected Versions
Versions 3.0.0 through 3.0.3 are affected.
Description
Some messages may be rendered without proper sanitization, making the system vulnerable to cross-site scripting (XSS) attacks through carefully crafted URLs. Two distinct message types are vulnerable to such an attack. Disabling PHP error reporting mitigates one of these vectors. Both issues are fully resolved in patch release 3.0.4.
Resolution
Upgrade to version 3.0.4. Related tasks:
- CORE-796
- CORE-797
Credits
Thanks to Vlad C. of NetSec Interactive Solutions for reporting these issues.