Bug #13495

Clipboard export page is vulnerable to XSS attacks

Added by José Raddaoui Marín 6 months ago. Updated 4 months ago.

Status:VerifiedStart date:04/08/2021
Priority:MediumDue date:
Assignee:José Raddaoui Marín% Done:

0%

Category:Security
Target version:Release 2.6.4
Google Code Legacy ID: Tested version:2.4, 2.5, 2.6
Sponsored:No Requires documentation:No

atom_2x_issue_13495.patch Magnifier (1.96 KB) José Raddaoui Marín, 04/08/2021 02:00 PM

History

#1 Updated by Dan Gillean 6 months ago

  • Target version set to Release 2.6.4
  • Requires documentation set to No

#2 Updated by José Raddaoui Marín 6 months ago

  • File atom_2x_issue_13495.patchMagnifier added
  • Status changed from New to In progress
  • Assignee set to José Raddaoui Marín
  • Tested version 2.4, 2.5 added

The 2.4.x and 2.5.x versions are also affected. Attaching a patch that works in all versions from 2.4.x to 2.6.x. To apply the patch over a running AtoM instance, move to the AtoM folder, check the patch will work over the existing source code and apply it:

Using Git:

cd /path/to/atom
git apply --check /path/to/atom_2x_issue_13495.patch
git apply --stat /path/to/atom_2x_issue_13495.patch
git apply /path/to/atom_2x_issue_13495.patch

Using Patch:

cd /path/to/atom
patch -p1 --dry-run < /path/to/atom_2x_issue_13495.patch
patch -p1 --dry-run --verbose < /path/to/atom_2x_issue_13495.patch
patch -p1 < /path/to/atom_2x_issue_13495.patch

Then clear the Symfony cache and restart PHP-FPM:

php symfony cc
sudo systemctl restart php7.2-fpm

#3 Updated by Dan Gillean 6 months ago

  • Private changed from Yes to No

#4 Updated by Dan Gillean 6 months ago

  • Status changed from In progress to Verified

#5 Updated by José Raddaoui Marín 4 months ago

Minor change for 2.7 that may prevent this issue in the future ... https://github.com/artefactual/atom/pull/1322

Also available in: Atom PDF