Impact
A user with the ability to use the import functionality of the ImportExportController behavior could be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question
Patches
Issue has been patched in Build 466 (v1.0.466).
Workarounds
Apply cd0b6a7 to your installation manually if unable to upgrade to Build 466.
References
Reported by Sivanesh Ashok
For more information
If you have any questions or comments about this advisory:
Threat assessment:
Impact
A user with the ability to use the import functionality of the
ImportExportControllerbehavior could be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in questionPatches
Issue has been patched in Build 466 (v1.0.466).
Workarounds
Apply cd0b6a7 to your installation manually if unable to upgrade to Build 466.
References
Reported by Sivanesh Ashok
For more information
If you have any questions or comments about this advisory:
Threat assessment: