http://dotcms.constantcontact.com/c/portal_..." /> http://dotcms.constantcontact.com/c/portal_..." />

 

Issues » XSS error on the account login page

Issue: SI-4
Date: Sep 10, 2012 12:00:00 AM
Severity: Moderate
Requires Admin Access: No
Fix Version: 2.2
Credit: Constant Contact
Description:

1.

XSS in http://dotcms.constantcontact.com/c/portal_public/login 
on the my_account_logon paramter (the User ID field on the login form)

my_account_logon='"'>'

XSS in http://dotcms.constantcontact.com/c/portal_public/login 
on the my_account_email_address parameter.

To reproduce, leave the my_account_logon param blank and set 
my_account_email_address="/>

Workaround:

Valid workarounds:

  1. Upgrade to dotCMS 2.2+
  2. Prevent access to the admin tools to a subset of trusted IPs
  3. Override your dotCMS/html/portal/login.jsp and add the code shown here: https://github.com/dotCMS/dotCMS/commit/b2dbc79d07faaf913f5cdc7ee6e9b94144fdcf93
Issues
  • https://github.com/dotCMS/dotCMS/issues/1092
Back to the top