| Topic: | Persistent XSS when using Login-as feature |
| Severity/Risk: | Major |
| Versions affected: | <1.8.12 and <1.9.8 |
| Reported by: | Sascha Herzog |
| Issue no.: | MDL-21769 |
| Solution: | upgrade to 1.8.12 or 1.9.8 |
| Workaround: | see Version control tab in tracker issue |
Description:
Users may trick admins into using the "Login as" feature to edit some existing posts which contain XSS exploit code.