Hello,
We’re migrating to indico 3.2.2, so I’ve installed this on a test server. A nessus scan of this server shows XSS issues, e.g.
- The following resources may be vulnerable to HTML injection :
- The ‘password’ parameter of the /login/ CGI :
/login/?password=<"awapoz%20>
-------- output --------
Content-Length: 6223
Connection: keep-alive
X-Indico-URL: /login/?password=<"awapoz%20>
Set-Cookie: indico_session=f327e010-9ba2-42d9-bff5-e56613060660; E […]
(there are several pages of similar items).
Is this a real problem, and if so is there a fix or a workaround?
Thanks and regards,
Chris