Connections <= 8.5.8 - Reflected Cross-Site Scripting (XSS)



Description
Line 320 contains unfiltered user input for the search field
being sent directly via echo back to the users browser via the ā€™sā€™ variable.

In file includes/admin/pages/manage.php
Line 320:	
<input type="search" id="entry-search-input" name=ā€œs" value="<?php if (
isset( $_GET['s'] ) && ! empty( $_GET['s'] )) echo $_GET['s'] ; ?>" />

Affects Plugin

fixed in version 8.5.9

References

CVE 2016-0770
SECURITYFOCUS 82355
URL http://www.vapidlabs.com/advisory.php?v=161

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter firefart
Submitter Website https://firefart.at/
Submitter Twitter _FireFart_
Views 1252
Verified No
WPVDB ID 8372

Timeline

Publicly Published 2016-02-02 (almost 3 years ago)
Added 2016-02-02 (almost 3 years ago)
Last Updated 2017-03-16 (over 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.