HTML Logo by World Wide Web Consortium ( Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS. ocPortal 9 is superseded by Composr 10.

Head over to for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.

Security patch for XSS vulnerability - Comments

Login / Search

 [ Join | More ]

Security patch for XSS vulnerability

Posted 07 November 2015, 11:34 PM
An XSS security hole has been found in ocPortal and reported to us yesterday. Additionally there are 2 very similar flaws that additional testing has found.

This hole allows a hacker to potentially interfere with your website by guiding a logged in administrator to a malicious URL.

It is important to apply the attached security patch as soon as possible. This patch is compatible with ocPortal 9 sites. The attached zip contains 3 altered template files, to be uploaded to the themes/default/templates

Read more


You should always put affected and fixed in versions to your security advisories and notifications. In this case, if I am correct, these are following:

Affected: <= 9.0.20
Fixed in: 9.0.21

CVE request for this vulnerability in here: oss-security - Cross site vulnerability (XSS) in OcPortal CMS 9.0.20">
Thanks for the feedback.

We have a process where we directly flag the urgency of upgrading to a new release to people, but we can do better.

I have amended our documented internal security process to include your suggestion.

There are too many online users to list.
Control functions:

Quick reply   Contract

Your name:
Your message: