View Issue Details

IDProjectCategoryView StatusLast Update
0000345FineFriends[All Projects] Securitypublic2019-07-31 09:36
ReportertimAssigned Totim 
PriorityurgentSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version1.3.0 
Target Version1.3.0Fixed in Version1.3.0 
Summary0000345: XSS in new external registration flow
DescriptionIf a user signs up with an external service using the new registration flow, some account settings can be changed on first login.

One of those details is the display name, which is displayed on the next slide (It says 'Nice to meet you ...').
The displayname is not escaped, which might allow some sort of XSS.
Steps To Reproduce- Sign up with an external service.
- Change the display name to something like <script>alert('test')</script>
- Click Next
- An alert will show up with the text 'test'.
TagsBug, Safety
Attach Tags

Relationships

related to 0000329 resolvedtim Improve registration flow using third party login 

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-07-31 08:58 tim New Issue
2019-07-31 08:58 tim Status new => assigned
2019-07-31 08:58 tim Assigned To => tim
2019-07-31 08:58 tim Tag Attached: Bug
2019-07-31 08:58 tim Tag Attached: Safety
2019-07-31 08:58 tim Relationship added related to 0000329
2019-07-31 09:36 tim Status assigned => resolved
2019-07-31 09:36 tim Resolution open => fixed
2019-07-31 09:36 tim Fixed in Version => 1.3.0