Security announcements

MSA-18-0019: Boost theme - blog search GET parameter insufficiently filtered

 
Picture of Michael Hawkins
MSA-18-0019: Boost theme - blog search GET parameter insufficiently filtered
 

The breadcrumb navigation provided by Boost theme when displaying search results of a blog were insufficiently filtered, which could result in reflected XSS if a user followed a malicious link containing JavaScript in the search parameter.


Severity/Risk: Minor
Versions affected: 3.5 to 3.5.1, 3.4 to 3.4.4, 3.3 to 3.3.7 and earlier unsupported versions
Versions fixed: 3.5.2, 3.4.5 and 3.3.8
Reported by: Michael Hawkins
Workaround: Use an alternative theme not based upon Boost until the fix is applied.
CVE identifier: CVE-2018-14631
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62857
Tracker issue: MDL-62857 Boost theme - blog search GET parameter insufficiently filtered