From 8025aa78fb52933666e13a7e9e782edf4ddf8b42 Mon Sep 17 00:00:00 2001
From: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu, 25 Sep 2025 13:12:43 +0200
Subject: [PATCH] time.cgi: Fixes bug 13883

Fixes: bug 13883 - time.cgi UPDATE_VALUE Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 html/cgi-bin/time.cgi | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/html/cgi-bin/time.cgi b/html/cgi-bin/time.cgi
index 04c1e771f..d465354bb 100644
--- a/html/cgi-bin/time.cgi
+++ b/html/cgi-bin/time.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2010  IPFire Team                                             #
+# Copyright (C) 2010-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -78,6 +78,7 @@ if ($timesettings{'ACTION'} eq $Lang::tr{'save'})
 	if (!($timesettings{'UPDATE_VALUE'} =~ /^\d+$/) || $timesettings{'UPDATE_VALUE'} <= 0)
 	{
 		$errormessage = $Lang::tr{'invalid time period'};
+		$timesettings{'UPDATE_VALUE'} = 0;
 		goto ERROR;
 	}
 
-- 
2.47.3