HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Security patch for XSS vulnerability - Comments

Login / Search

 [ Join | More ]
 

Security patch for XSS vulnerability

Posted 07 November 2015, 11:34 PM
An XSS security hole has been found in ocPortal and reported to us yesterday. Additionally there are 2 very similar flaws that additional testing has found.

This hole allows a hacker to potentially interfere with your website by guiding a logged in administrator to a malicious URL.

It is important to apply the attached security patch as soon as possible. This patch is compatible with ocPortal 9 sites. The attached zip contains 3 altered template files, to be uploaded to the themes/default/templates

Read more


info

Avatar
You should always put affected and fixed in versions to your security advisories and notifications. In this case, if I am correct, these are following:

Affected: <= 9.0.20
Fixed in: 9.0.21

CVE request for this vulnerability in here: oss-security - Cross site vulnerability (XSS) in OcPortal CMS 9.0.20">
Avatar
Thanks for the feedback.

We have a process where we directly flag the urgency of upgrading to a new release to people, but we can do better.

I have amended our documented internal security process to include your suggestion.


1 guests and 0 members have just viewed this: None
Control functions:

Quick reply   Contract

Your name:
Your message: