[Bug 268525] XSS vulnerability in FreeBSD Manual Pages

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 268525] XSS vulnerability in FreeBSD Manual Pages"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 268525] XSS vulnerability in FreeBSD Manual Pages"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 23 Dec 2022 11:53:03 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268525

            Bug ID: 268525
           Summary: XSS vulnerability in FreeBSD Manual Pages
           Product: Documentation
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Website
          Assignee: doc@FreeBSD.org
          Reporter: 12un91h9.hello@gmail.com

Vuln: XSS Cross-site script
Description: XSS appears in FreeBSD Manual Pages when a visitor does the
following actions:
1. Search any command
2. Click "apropos" button beside "man" button
3. Concat the previous query param in the URL with " autofocus
onfocus="alert(1)

Evidence link:
https://www.freebsd.org/cgi/man.cgi?apropos=1&arch=default&format=html&manpath=FreeBSD%2014.0-CURRENT&query=id%22autofocus%20onfocus=%22alert(1)&sektion=0

-- 
You are receiving this mail because:
You are the assignee for the bug.