Chapter 5. Evergreen 3.0.6

Table of Contents

Security Issue: XSS Vulnerability in Public Catalog
Other Bugfixes
Acknowledgements

This release is a security release that fixes cross-site scripting (XSS) vulnerabilities in the Evergreen public catalog. This release also includes several other bugfixes improving on Evergreen 3.0.5.

Security Issue: XSS Vulnerability in Public Catalog

This release fixes several cross-site scripting (XSS) vulnerabilities in the public catalog. When upgrading, Evergreen administrators should review whether any of the following templates have been customized or overridden. If so, either the template should be replaced with the stock version or the XSS fix (which entails adding the | html filter in several places) applied to the customized version.

  • Open-ILS/src/templates/opac/parts/record/contents.tt2
  • Open-ILS/src/templates/opac/parts/record/copy_counts.tt2
  • Open-ILS/src/templates/opac/parts/record/issues-mfhd.tt2

Note that exploiting the XSS vulnerabilities fixed in this release would require either the ability to create maliciously-constructed MARC bibliographic or holdings records or the ability to set a maliciously constructed organizational unit name.