Headline
CVE-2023-2103: Escape the legal settings, service and category name in the booking page · alextselegidis/easyappointments@46a8653
Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
@@ -1,7 +1,7 @@
<?php
/**
* Local variables.
*
*
* @var array $available_services
*/
?>
@@ -66,11 +66,11 @@
if (count($group) > 0)
{
echo ‘<optgroup label="’ . $group_label . '">’;
echo ‘<optgroup label="’ . e($group_label) . '">’;
foreach ($group as $service)
{
echo ‘<option value="’ . $service[‘id’] . ‘">’
. $service[‘name’] . '</option>’;
. e($service[‘name’]) . '</option>’;
}
echo '</optgroup>’;
}
@@ -80,7 +80,7 @@
{
foreach ($available_services as $service)
{
echo ‘<option value="’ . $service[‘id’] . ‘">’ . $service[‘name’] . '</option>’;
echo ‘<option value="’ . $service[‘id’] . ‘">’ . e($service[‘name’]) . '</option>’;
}
}
?>