Opened 10 years ago

Closed 3 years ago

#1529 closed defect (fixed)

Security Issues in XINHA WYSIWYG 0.96.1

Reported by: guest Owned by: gogo
Priority: normal Milestone: 0.97
Component: Xinha Core Version: trunk
Severity: normal Keywords: security issue
Cc: david.kurz@…


Hello there,

we at MajorSecurity? found some security related vulnerabilities within XINHA WYSIWYG Editor. Please tell me the email address I should send the security related details to.

You may contact me at: david.kurz[(at)]majorsecurity[(dot)]net

Best regards,

David Vieira-Kurz
Head of Security Research, MajorSecurity?

Change History (3)

comment:1 follow-up: Changed 10 years ago by ejucovy

Hmm, have these vulnerabilities been addressed by the changes in 0.96.1 (#1515, #1518)? Or is this ticket still active?

comment:2 in reply to: ↑ 1 Changed 10 years ago by gogo

Replying to ejucovy:

Hmm, have these vulnerabilities been addressed by the changes in 0.96.1 (#1515, #1518)? Or is this ticket still active?

I emailed them when they posted, this is what they said...


first of all thank for the fast answer.

We at MajorSecurity? have discovered some vulnerabilities in one of the
Plugins in XINHA WYSIWYG Editor version 0.96.1, which can be exploited
by malicious people to conduct cross-site scripting attacks. Input
passed directly to the "mode" parameter in "backend.php" of the
"ExtendedFileManager?" Plugin is not properly sanitised before being
stored and returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of
an affected site.

Proof of Concept:


Web applications should never trust on user generated input and
therefore sanatize all input. Edit the source code to ensure that input
is properly sanitised.

I don't remember if I did anything about it.

comment:3 Changed 3 years ago by gogo

  • Resolution set to fixed
  • Status changed from new to closed

EFM is deprecated (it is being moved to unsupported and disabled unless the developer actively reactivates it)

IM and EFM are too crusty to support any longer.

Note: See TracTickets for help on using tickets.