Magento 1.9.3.1: Prevented a potential Cross-Site Scripting (XSS) vulnerability when adding a category

magento.stackexchange https://magento.stackexchange.com/questions/145826

Frage

As you may know 1.9.3.1 has been been released.

In the release notes, I found that on top of bug fixes, there also was two security features:

  • Prevented a potential Cross-Site Request Forgery (CSRF) vulnerability by changing the form key when a customer signs out of the storefront.
  • Prevented a potential Cross-Site Scripting (XSS) vulnerability when adding a category.

I found the code change related to the first point in Mage/Customer/Model/Session however, I can't get my hands on the changes made to apply the second security feature. Anyone could enlighten me here ?

War es hilfreich?

Lösung

Got the confirmation from a Magento team member that the second security fix:

Prevented a potential Cross-Site Scripting (XSS) vulnerability when adding a category.

Is only affecting EE.

Andere Tipps

Prevented a potential Cross-Site Scripting (XSS) vulnerability when adding a category.

Maybe something related to the alert when the category is added

This is my guess: My best guess

Lizenziert unter: CC-BY-SA mit Zuschreibung
Nicht verbunden mit magento.stackexchange
scroll top