Code Fix: XSS vulnerability on forms
K2 Five 5.3 to 5.4
K2 Five (5.3) April 2020 Cumulative Update
K2 Five (5.3) April 2020 Cumulative Update Fix Pack 20
When you have a form that makes use of a server event to transfer a form parameter to a view parameter, the form becomes vulnerable to XSS.
The fix is available in the following K2 versions:
|K2 4.7 December 2019 Cumulative Update||K2 Five (5.0) December 2019 Cumulative Update||K2 Five (5.1) November 2018 Cumulative Update||K2 Five (5.2) May 2019 Cumulative Update||K2 Five (5.3) April 2020 Cumulative Update||K2 Platform Classic(5.4)|
|X||X||X||X||Fix Pack 20||Fix Pack 12|
- Ensure you have the correct K2 version and/or Cumulative Update installed. See KB001893 to see what Fix Pack level you have installed.
- Download the latest Fix Pack using the links in the table above for the version you require.
- Install the Fix Pack to apply the fix.
To fix the XSS vulnerability we had to roll back the fix for KB003579.