Security announcements

MSA-10-0008: Persistent XSS when using Login-as feature

 
Picture of Petr Skoda
MSA-10-0008: Persistent XSS when using Login-as feature
 
Topic: Persistent XSS when using Login-as feature
Severity/Risk: Major
Versions affected: <1.8.12 and <1.9.8
Reported by: Sascha Herzog
Issue no.: MDL-21769
Solution: upgrade to 1.8.12 or 1.9.8
Workaround: see Version control tab in tracker issue


Description:
Users may trick admins into using the "Login as" feature to edit some existing posts which contain XSS exploit code.