mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix XSS in api access (#14551)

Browse Source 
api access page didn't escape username allowing for injection.
This commit is contained in:
Tony Murray
2022-11-01 05:20:08 -05:00
committed by GitHub
parent e864ed7795
commit 07cc9f4cdc
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
includes/html/pages/api-access.inc.php
View File

@@ -59,7 +59,7 @@ if (Auth::user()->hasGlobalAdmin()) {
<select class="form-control" id="user_id" name="user_id">
<?php
foreach ($userlist = User::all() as $user) {
echo '<option value="' . $user->user_id . '">' . $user->username . ' (' . $user->auth_type . ')</option>';
echo '<option value="' . $user->user_id . '">' . htmlentities($user->username) . ' (' . htmlentities($user->auth_type) . ')</option>';
} ?>
</select>
</div>