2 matches found
CVE-2017-16881
b3log Symphony aka Sym 2.2.0 does not properly address XSS in JSON objects, as demonstrated by a crafted userAvatarURL value to /settings/avatar, related to processor/AdminProcessor.java, processor/ArticleProcessor.java, processor/UserProcessor.java, service/ArticleQueryService.java,...
CVE-2017-16881
The CVE-2017-16881 entry describes a Cross-Site Scripting (XSS) vulnerability in b3log Symphony (Sym) 2.2.0. A crafted userAvatarURL value sent to /settings/avatar can inject arbitrary scripts/HTML due to improper handling of JSON objects. The issue affects multiple components, including processo...