Wapiti 3 detects XSS in several jevents parameters
By Guest on Wednesday, 24 January 2018
Posted in JEvents (Free Access)
Replies 3
Likes 0
Views 0.9K
Votes 0
Recently we ran a Wapiti 3.0.0 scan against our test website and it found several XSS vulnerabilities associated with jevents. The instances found involved the category_fv. limitstart, and catids parameters. We are running jevents 3.4.43 on our test and production websites. I am trying to determine whether these issues are specifically with jevents or with our particular use of jevents.
I think this could be an issue with your template's pagination code?? Certainly the issue is triggered from the pagination - if you add &limit=2000 to the end of the URL the alert doesn't appear

Can you test using a different template to confirm the issue is from tour template?

If you'd like me to investigate further please send me login details for the test site
Guest
·
Wednesday, 24 January 2018 15:19
·
0 Likes
·
0 Votes
·
0 Comments
·
Thank you for the pointer to look specifically at the pagination. Our web developer is working through our custom com_jevents template to find and sanitize the pagination.
Guest
·
Thursday, 25 January 2018 13:35
·
0 Likes
·
0 Votes
·
0 Comments
·
thanks for letting us know.
Guest
·
Thursday, 25 January 2018 13:39
·
0 Likes
·
0 Votes
·
0 Comments
·
View Full Post