Clean up stored XSS

We have an old installation of Zammad 3.1.x (package-install CentOS7)
That was vulnerable to stored XSS via a custom Avatar CVE-2021-42085.
We follow the Security Advisory ZAA-2021-17 and update to the latest versions of Zammad 5.0.x.

No more new XSS via a custom Avatar can be stored (tested).
But the previous XSS can still be triggered (samples from pen-testing).

How to find and delete all possible Stored XSS.


This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.