Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-46251: SECURITY: Escape username in invalid username error · ScratchVerifier/ScratchOAuth2@1603f04

A reflected cross-site scripting (XSS) in ScratchOAuth2 before commit 1603f04e44ef67dde6ccffe866d2dca16defb293 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

CVE
#xss#web#apple#git

Permalink

Browse files

SECURITY: Escape username in invalid username error

POST request with invalid usernames to SpecialScratchOAuth2 page in ScratchOAuth2 may lead to reflected cross-site scripting.

  • Loading branch information

@apple502j

1 parent d856dc7 commit 1603f04e44ef67dde6ccffe866d2dca16defb293

Showing with 1 addition and 1 deletion.

  1. +1 −1 includes/special/SpecialScratchOAuth2.php

@@ -69,7 +69,7 @@ public function specialLogin( $error = null ) {

$username = $request->getVal( 'username’, '’, );

if (!preg_match(SOA2_USERNAME_REGEX, $username)) {

$this->specialLogin(

wfMessage('soa2-invalid-username’, $username)->plain()

wfMessage(‘soa2-invalid-username’)->plaintextParams($username)->parse()

);

return;

}

0 comments on commit 1603f04

Please sign in to comment.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907