A cross-site scripting vulnerability in the viewid parameter of the userchange.php page was brought to our attention by Thomas Pollet. We thank then for giving us the chance to fix this issue before releasing information into the public. More details about the vulnerabilities can be found in this security advisory.
Affected Stable Versions:
Stable branch up to v3.6.1 (inclusive)
Update to 3.6.2 or higher (if available).
Cross Site Scripting
A cross-site scripting vulnerability existed in the userchange.php page. An attacker could use it to execute arbitrary HTML and Script code by using the viewid parameter.
An attacker could use prepared links to include and run scripts within the context of LogAnalyzer on the users browser.
We want to thank Thomas Pollet for identifying these issues and working with us in resolving it.