Magento 1.9.3.1: Prevented a potential Cross-Site Scripting (XSS) vulnerability when adding a category
-
04-10-2020 - |
Question
As you may know 1.9.3.1 has been been released.
In the release notes, I found that on top of bug fixes, there also was two security features:
- Prevented a potential Cross-Site Request Forgery (CSRF) vulnerability by changing the form key when a customer signs out of the storefront.
- Prevented a potential Cross-Site Scripting (XSS) vulnerability when adding a category.
I found the code change related to the first point in Mage/Customer/Model/Session
however, I can't get my hands on the changes made to apply the second security feature. Anyone could enlighten me here ?
Solution
Got the confirmation from a Magento team member that the second security fix:
Prevented a potential Cross-Site Scripting (XSS) vulnerability when adding a category.
Is only affecting EE.
Licensed under: CC-BY-SA with attribution
Not affiliated with magento.stackexchange