Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-15463

XSS in several profile fields

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Critical
    • None
    • 10.6.1
    • User - User Profile
    • Easy

    Description

      Several fields in user profile are vulnerable to Cross Site Scripting (XSS). Basically, you can put any script and it will be executed (the only limitation is the length of the fields).

      First Name

      Last Name

      Company

      Phone

      Blog (External Links)

      Blog Feed (External Links)

       

      Proof of concept: 

      Put these in any of the mentioned fields: "><script>alert("hello1")</script>. When you save the profile and view it, it's when the script is executed.

       

       

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-9658 XSS in the user profile

          • Major - Major loss of function.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              ju4n15 Juan C Mejia
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: