xpra icon
Bug tracker and wiki

Opened 4 months ago

Closed 4 months ago

Last modified 4 months ago

#2724 closed defect (fixed)

XSS vulnerability in xpra HTML5 client

Reported by: flx Owned by: Antoine Martin
Priority: critical Milestone: 4.0
Component: html5 Version: trunk
Keywords: Cc:

Description

Hello,

we found a very simple XSS voulnerability in the xpra HTML5 client.
Demo: https://xpra.org/html5/connect.html?disconnect=%3Cimg%20src=x%20onerror=alert(%27hello%27);%3E

Patch file is attached.

Cheers!

Attachments (1)

connect.html-diff (596 bytes) - added by flx 4 months ago.

Download all attachments as: .zip

Change History (3)

Changed 4 months ago by flx

Attachment: connect.html-diff added

comment:1 Changed 4 months ago by Antoine Martin

Resolution: fixed
Status: newclosed

Thanks, applied in r26077.

comment:2 Changed 4 months ago by flx

Summary: XSS voulnerability in xpra HTML5 clientXSS vulnerability in xpra HTML5 client
Note: See TracTickets for help on using tickets.