Magento 1.9.3.1: Prevented a potential Cross-Site Scripting (XSS) vulnerability when adding a category

magento.stackexchange https://magento.stackexchange.com/questions/145826

Question

As you may know 1.9.3.1 has been been released.

In the release notes, I found that on top of bug fixes, there also was two security features:

  • Prevented a potential Cross-Site Request Forgery (CSRF) vulnerability by changing the form key when a customer signs out of the storefront.
  • Prevented a potential Cross-Site Scripting (XSS) vulnerability when adding a category.

I found the code change related to the first point in Mage/Customer/Model/Session however, I can't get my hands on the changes made to apply the second security feature. Anyone could enlighten me here ?

Was it helpful?

Solution

Got the confirmation from a Magento team member that the second security fix:

Prevented a potential Cross-Site Scripting (XSS) vulnerability when adding a category.

Is only affecting EE.

OTHER TIPS

Prevented a potential Cross-Site Scripting (XSS) vulnerability when adding a category.

Maybe something related to the alert when the category is added

This is my guess: My best guess

Licensed under: CC-BY-SA with attribution
Not affiliated with magento.stackexchange
scroll top