Impact
One of the comment elements (locator.URL) used internally to match comments to posts was missing proper validation. An attacker might be able to inject arbitrary html and script code into the website. This would alter the appearance and would make it possible to initiate further attacks against site visitors. The code could be executed in the browser because locator.URL displayed in both the primary comment widget and in the latest comments widget. The primary comments widget won't render such URLs because a comment with an altered locator.URL won't match the comment thread, but the latest comments widget will. This XSS doesn't allow access to the authentication token stored as http-only secure cookie.
The successful exploitation requires authentication and user interaction by the victim. There is no available exploit.
Patches
Version v1.6.1, as well as the latest master, addressed the issue.
For more information
If you have any questions or comments about this advisory:
Ry0taK Analyst
Impact
One of the comment elements (
locator.URL) used internally to match comments to posts was missing proper validation. An attacker might be able to inject arbitrary html and script code into the website. This would alter the appearance and would make it possible to initiate further attacks against site visitors. The code could be executed in the browser becauselocator.URLdisplayed in both the primary comment widget and in the latest comments widget. The primary comments widget won't render such URLs because a comment with an alteredlocator.URLwon't match the comment thread, but the latest comments widget will. This XSS doesn't allow access to the authentication token stored as http-only secure cookie.The successful exploitation requires authentication and user interaction by the victim. There is no available exploit.
Patches
Version v1.6.1, as well as the latest master, addressed the issue.
For more information
If you have any questions or comments about this advisory: