Details
-
Bug
-
Resolution: Fixed
-
Minor
-
2.3, 2.2.6, 2.3.1, 2.4 M1
-
None
-
security, xss
-
Integration
-
Trivial
-
Description
Only for logged off users, therefore a minor problem.
Injection via "xredirect" and "srid" example:
http://localhost:8080/xwiki/bin/view/Main/Test?xpage=imported&xredirect=%22%3E%3Cscript%3Ealert%283%29%3C%2Fscript%3E http://localhost:8080/xwiki/bin/view/Main/Test?xpage=imported&srid=%22%3E%3Cscript%3Ealert%283%29%3C%2Fscript%3E