Headline
CVE-2021-4253: Fix reflected XSS · ctrlo/lenio@7a1f90b
A vulnerability, which was classified as problematic, was found in ctrlo lenio. Affected is an unknown function in the library lib/Lenio.pm of the component Ticket Handler. The manipulation of the argument site_id leads to cross site scripting. It is possible to launch the attack remotely. The name of the patch is 7a1f90bd2a0ce95b8338ec0926902da975ec64d9. It is recommended to apply a patch to fix this issue. VDB-216210 is the identifier assigned to this vulnerability.
@@ -646,6 +646,9 @@ any ['get’, ‘post’] => ‘/ticket/:id?’ => require_login sub { } elsif (defined($id) && !body_parameters->get(‘submit’)) { my $site_id = query_parameters->get(‘site_id’) ? int(query_parameters->get(‘site_id’)) : session(‘site_id’); # If applicable, Prefill ticket fields with initial values based on task if ($task) { @@ -660,13 +663,13 @@ any ['get’, ‘post’] => ‘/ticket/:id?’ => require_login sub { planned => $date, actionee => $task->global ? ‘external’ : 'local’, task_id => $task->id, site_id => query_parameters->get(‘site_id’) || session(‘site_id’), site_id => $site_id, }); } } else { $ticket = rset(‘Ticket’)->new({ site_id => query_parameters->get(‘site_id’) || session(‘site_id’), site_id => $site_id, }); } }