search

davemckain / qtiworks

**This project will be closed in early 2023!** IMS QTI 2.1 assessment delivery engine and Java development library (JQTI+). Supports the MathAssess extensions. Replacement for QTIEngine/JQTI and MathAssessEngine/JQTI. Note that this project has now ended and no further work is currently planned.
Other
67 stars 55 forks source link

Security: XSS vulnerabilities in some instructor interface pages #45

Closed davemckain closed 10 years ago

davemckain commented 10 years ago

There are a small number of instances of client input not being escaped when being inserted back into HTML page content, leading to potential cross-site scripting (XSS) vulnerabilities.

The affected pages are the system/instructor user login page, the create delivery page, edit delivery page and the 'show candidate session' pages.

A new release of QTIWorks (1.0-beta7) fixes these problems and has been rolled out to https://webapps.ph.ed.ac.uk/qtiworks

All users running their own QTIWorks deployments are advised to upgrade to beta7 as soon as possible.

davemckain commented 10 years ago

Fixed in 1.0-beta7, which has just been rolled out.