wle parameter allows for possible XSS attack #767
Milestone
Comments
|
ref #768 |
|
@kinabalu thanks for reporting this to us and providing a PR. We have tested the fix, merged the PR, and released version 3.11.3. Please note that in order to protect our customers that cannot upgrade immediately, we request to not disclose security vulnerabilities in the public issue tracker. Please see this readme section We appreciate all vulnerability reports and we strongly suggest to use our responsible disclosure form or to email us directly at [email protected]. |
|
Apologies for not reporting via the disclosure — didn’t see it but will
certainly in the future.
On Thu, Jan 30, 2020 at 13:47 Marcin Hoppe ***@***.***> wrote:
@kinabalu <https://github.com/kinabalu> thanks for reporting this to us
and providing a PR. We have tested the fix, merged the PR, and released version
3.11.3 <https://github.com/auth0/wp-auth0/releases/tag/3.11.3>.
Please note that in order to protect our customers that cannot upgrade
immediately, we request *to not disclose security vulnerabilities in the
public issue tracker*. Please see this readme section
for reference
https://github.com/auth0/wp-auth0/tree/3.11.3#vulnerability-reporting.
We appreciate all vulnerability reports and we strongly suggest to use our responsible
disclosure form <https://auth0.com/responsible-disclosure-policy/> or to
email us directly at ***@***.***
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#767>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAN5JI3HW3KYH2AQKVX37LRANDIBANCNFSM4KNXX2SA>
.
--
To our success!
Andrew Lombardi
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Description
As seen in this pull request #766 our team had a InfoSec pen tester successfully inject code into our login page because this parameter is injected without encoding
Reproduction
Given a URL like YOUR_SITE_HERE/wp-login.php?wle=%22%20onEvent%3DX186697040Y2Z%20
it's possible in a situation to inject code into the page in this hidden input type. with the item encoded, we have been able to still login using auth0 and/or the wordpress default login
Environment
The text was updated successfully, but these errors were encountered: