Dit product is onderdeel van Infowijs - een studio met maarschappelijk hart.
  • Security and policies

Vulnability log

This document contains an overview of historic security vulnabilities that have been reported by users and fixed since.

July 2017

  • MINORFIXED Minor XSS vulnability in the 'Finish My Account' screen on the fields 'first name' and 'last name', allowing user to pass in certain specific Javascript expressions.

January 2017

  • MINORFIXED When adding content through the WYSIWYG editor in multiple locations in the Courses module, it was possible to add malicious <script> tags.
    Version affected: beta-2
    Version fixed: 2.0.0

August 2016

  • MINORFIXED A theoretical XSS attach was possible through the GET-parameter community on login pages, of which the value was printed in the resulting HTML without sanitation. This type of attack is improbable as it would not have yielded any interesting information: the user wasn’t signed in yet.

December 2014

  • MEDIUMFIXED When entering an empty username in the login form of communities that use external LDAP authentication, a request to the LDAP would still be sent, which allowed a theoretical DDoS attach, as some LDAP servers have rate limiting based on the user that is singing in.