Headline
CVE-2016-2138: Block XSS in wget commands (file links) · ikoniaris/kippo-graph@e6587ec
In kippo-graph before version 1.5.1, there is a cross-site scripting vulnerability in xss_clean() in class/KippoInput.class.php.
@@ -444,7 +444,7 @@ public function printWgetCommands() echo ‘<td>’ . $counter . '</td>’; echo ‘<td>’ . $row[‘timestamp’] . '</td>’; echo ‘<td>’ . xss_clean($row[‘input’]) . '</td>’; $file_link = explode(" ", trim($row[‘file’]))[0]; $file_link = explode(" ", trim(xss_clean($row[‘file’])))[0]; // If the link has no “http://” in front, then add it if (substr(strtolower($file_link), 0, 4) !== ‘http’) { $file_link = ‘http://’ . $file_link;