-
Type:
Bug
-
Resolution: Fixed
-
Priority:
High
-
Affects Version/s: 3.12, 3.12.1, 3.12.2, 3.12.3, 3.13, 3.13.1, 3.13.2, 3.13.3, 3.13.4, 3.13.5, 4.0, 4.0.1, 4.0.2, 4.1
-
Component/s: System Administration - Others
-
3.12
The announcement preview banner is currently displayed via the global decorator. It can be used for an XSS attack on virtually every page, via the announcement_preview_banner_st URL parameter. We should display the preview only locally in the admin section.