Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Critical
Fix Version/s: 5.4.1, 6.0-milestone-1
Affects Version/s: 5.0.1, 5.3
Component/s: Web - Templates & Resources
Labels:
None

Difficulty:
Easy
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

Found an XSS bug in xwiki. Below are the details of the bug which have been verified from my end.

Example Vulnerable Link:

http://www.xwiki.org/xwiki/bin/view/Main/News?xpage=pdfoptions&qs=bad%22onmouseover=%22alert%28%27xss%27%29

Vulnerability description

URL encoded GET input qs was set to 1" onmouseover=prompt(922101) bad="

The input is reflected inside a tag parameter between double quotes.

How to fix this vulnerability

Script should filter metacharacters from user input.

Attachments

Activity

People

Assignee:: Clemens Robbenhaar

Reporter:: Clint Savage

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 04/Feb/14 20:38

Updated:: 02/Dec/22 10:59

Resolved:: 10/Feb/14 11:07

Date of First Response:: 06/Feb/14 4:31 PM