Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
12.10
-
Unit
-
Unknown
-
N/A
-
N/A
-
Pull Request accepted
-
Description
Steps to reproduce:
- As a user without script rights, add the following content to the about section of your user profile:
{{liveData id="movies" properties="title,description"}} { "data": { "count": 1, "entries": [ { "title": "Meet John Doe", "url": "https://www.imdb.com/title/tt0033891/", "description": "<img onerror='alert(1)' src='foo' />" } ] }, "meta": { "propertyDescriptors": [ { "id": "title", "name": "Title", "visible": true, "displayer": {"id": "link", "propertyHref": "url"} }, { "id": "description", "name": "Description", "visible": true, "displayer": "html" } ] } } {{/liveData}} - Save the user profile.
Expected result:
No alert is displayed.
Actual result:
An alert with content "1" is displayed.
This demonstrates XSS (and in general, arbitrary HTML injection) with an unprivileged user account. Similar results can probably be achieved with the Livetable data source by changing a column that is normally displayed with the text displayer to use the HTML displayer and then adding the HTML code to the text content.
This is probably reproducible in all versions of XWiki that include the Live Data macro. Note that while Livetable might allow similar attacks, Livetable requires script rights and thus cannot be used by users without script rights.
Attachments
Issue Links
- is related to
-
-
- Closed
-
- links to