Code Fix: XSS vulnerability on forms
KB003597
PRODUCTK2 Five 5.3 to 5.4
K2 Five (5.3) April 2020 Cumulative Update
K2 Five (5.3) April 2020 Cumulative Update Fix Pack 20
Issue Description
When you have a form that makes use of a server event to transfer a form parameter to a view parameter, the form becomes vulnerable to XSS.
Resolution
The fix is available in the following K2 versions:
K2 4.7 December 2019 Cumulative Update | K2 Five (5.0) December 2019 Cumulative Update | K2 Five (5.1) November 2018 Cumulative Update | K2 Five (5.2) May 2019 Cumulative Update | K2 Five (5.3) April 2020 Cumulative Update | K2 Platform Classic(5.4) |
---|---|---|---|---|---|
X | X | X | X | Fix Pack 20 | Fix Pack 12 |
- Ensure you have the correct K2 version and/or Cumulative Update installed. See KB001893 to see what Fix Pack level you have installed.
- Download the latest Fix Pack using the links in the table above for the version you require.
- Install the Fix Pack to apply the fix.
Considerations
To fix the XSS vulnerability we had to roll back the fix for KB003579.