Details
-
Bug
-
Resolution: Fixed
-
High
-
3.12, 3.12.1, 3.12.2, 3.12.3, 3.13, 3.13.1, 3.13.2, 3.13.3, 3.13.4, 3.13.5, 4.0, 4.0.1, 4.0.2, 4.1
-
3.12
-
Description
The announcement preview banner is currently displayed via the global decorator. It can be used for an XSS attack on virtually every page, via the announcement_preview_banner_st URL parameter. We should display the preview only locally in the admin section.