Topic: | Persistent XSS when using Login-as feature |
Severity/Risk: | Major |
Versions affected: | <1.8.12 and <1.9.8 |
Reported by: | Sascha Herzog |
Issue no.: | MDL-21769 |
Solution: | upgrade to 1.8.12 or 1.9.8 |
Workaround: | see Version control tab in tracker issue |
Description:
Users may trick admins into using the "Login as" feature to edit some existing posts which contain XSS exploit code.