CVE-2014-3207: Unfiltered XSS

Issue #26 resolved
Former user created an issue

SKS 1.1.4 does not filter: /pks/lookup/undefined1<ScRiPt>prompt(972363)</ScRiPt>

For example:<ScRiPt>prompt(972363)</ScRiPt>;

Note that recent browsers will urlencode this for you, thus the XSS only affects older browsers. You can verify this using curl, for example:


Proposed fix:
Filter input/output (or do not display the input at all).

Initial report and findings: by Haris (

Comments (7)

  1. Log in to comment