Page 1 of 1

XXS issue - front page

PostPosted: Mon Jul 13, 2015 2:41 pm
by josh
There was a cross site scripting vulnerability on the new user form on the front page - fixed now. Reported at:

https://www.xssposed.org/incidents/71870/ (which, as I type, still shows it as "unpatched" - I guess they take some time to re-verify).

These fields only show up when you're not logged in, and when you're not logged in, there are no cookies or other account specific information, so I can't see how this would have been an actual security issue, but certainly it was bad form.