Loganalyzer Cross Site Scripting Vulnerability in Highlight Parameter

A cross-site scripting vulnerability in the highlight parameter of the index.php page was brought to our attention by Sooraj K.S SecPod Technologies. We thank then for giving us the chance to fix these issues before releasing information into the public. More details about the vulnerabilities can be found in this security advisory.

Affected Stable Versions:

Stable branch up to v3.4.3 (inclusive)
Beta branch up to v3.5.4 (inclusive)

Fix:

Update to 3.4.4 or 3.5.5 or higher (if available).

Cross Site Scripting

Short Description:

A cross-site scripting vulnerability existed in the index.php page. An attacker could use it to execute arbitrary HTML and Script code by using the highlight parameter.

Potential Impact:

An attacker could use prepared links to include and run scripts within the context of LogAnalyzer on the users browser.

Credits:

We want to thank Sooraj K.S SecPod Technologies for identifying these issues and working with us in resolving it. More details can be found in there advisory