Headline
CVE-2021-43725: Update SpotPage_login.php · spotweb/spotweb@2bfa001
There is a Cross Site Scripting (XSS) vulnerability in SpotPage_login.php of Spotweb 1.5.1 and below, which allows remote attackers to inject arbitrary web script or HTML via the data[performredirect] parameter.
@@ -37,7 +37,12 @@ public function render()
// bring the form action into the local scope
$formAction = $this->_loginForm[‘action’];
// Check redirect for chevrons, deny if found.
if (preg_match('/[<>]/i’, $this->_params[‘data’][‘performredirect’])) {
$result->addError(_(‘Script is not allowed’));
}
// Are we already submitting the form login?
if (!empty($formAction)) {
// make sure we can simply assume all fields are there