Errata - 3.3.2 / 3.4.0 XSS in devices list template (Community)
There is insufficient escaping on an element in the v_devices_collection.php template in Open-AudIT Community.
To address this issue, edit line 199 in the file below.
Windows - c:\xampp\open-audit\code_igniter\application\views\theme-bootstrap\v_devices_collection.php
Linux : /usr/local/open-audit/code_igniter/application/views/theme-tango/v_devices_collection.php
In 3.3.2 the line looks as below.
echo '<span class="label label-info">' . $item->name . ' ' . $item->operator . ' ' . urldecode($item->value) . ' <a href="' . $link . '">×</a></span> ';
In 3.4.0 the line looks as below.
echo '<span class="label label-info">' . htmlentities($item->name) . ' ' . htmlentities($item->operator) . ' ' . urldecode($item->value) . ' <a href="' . $link . '">×</a></span> ';
To negate the issue, change the line as below.
echo '<span class="label label-info">' . htmlentities($item->name) . ' ' . htmlentities($item->operator) . ' ' . htmlentities(urldecode($item->value)) . ' <a href="' . $link . '">×</a></span> ';
Apologies for any inconvenience.
This has been addressed for our next release.