Kohana is affected by a cross-site scripting (XSS) vulnerability. This is due to the way image tags are stripped in system/classes/Kohana/Security.php
, which allows an attacker to inject arbitrary Javascript code by bypassing the strip_image_tags
protection mechanism.
CPE | Name | Operator | Version |
---|---|---|---|
kohana/core | le | 3.3.6 |
advisory.checkmarx.net/advisory/CX-2016-4451
github.com/kohana/core/commit/f3cd2ef14871cc6b8c9b9c6f32ce52ab447a3efb
github.com/kohana/kohana/issues/107
github.com/kohana/kohana/releases/tag/v3.3.6
lists.debian.org/debian-lts-announce/2018/01/msg00015.html
www.checkmarx.com/advisories/cross-site-scripting-xss-vulnerability-in-kohana/