On Wed, Jun 24, 2020 at 08:39:06AM +0200, Raphael Hertzog wrote: > Hi, > > On Mon, 15 Jun 2020, Sebastien Delafond wrote: > > See for instance the following URL: > > > > > > https://ci.debian.net/user/debci/jobs?package=abc";><script>alert(document.domain)</script> > > The issue is present in multiple parameters and even in the URL itself: > > XSS Param URL: > https://ci.debian.net/user/debci%3Cvideo%3E%3Csource%20onerror=%22javascript:prompt(9401)%22%3E/jobs > > XSS Param package: > https://ci.debian.net/user/nobody/jobs?arch[]=amd64&package=bamtools%27%22()%26%25%3Cxx%3E%3CScRiPt%3Ealert(9904)%3C/ScRiPt%3E&suite[]=kali-dev > > XSS Param trigger: > https://ci.debian.net/user/debci/jobs?arch[]=amd64&package=20&suite[]=kali-dev&trigger=1%27%22()%26%25%3Cxxx%3E%3CScRiPt%3Eprompt(9829)%3C/ScRiPt%3E > > Is there any chance that you could fix this in the near future? > > The issues are not critical but ignoring them doesn't give a good image of > us. (And what if this could be exploited to trigger a test run with > some evil parameters...)
They are not being ignored, and will be fixed as soon as possible.
signature.asc
Description: PGP signature
