Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-17374

XSS Cross Site Scripting

    XMLWordPrintable

    Details

    • Tests:
      Unit
    • Difficulty:
      Unknown
    • Documentation:
      N/A
    • Documentation in Release Notes:
      N/A
    • Pull Request Status:
      Pull Request accepted
    • Similar issues:

      Description

      Some fileds like "Company" in the user profile editing section, are vulnerables to Cross Site Scripting XSS.

      So, inserting for example "<script> alert("XSS Cross Site Scripting in this field !!!"); </script>" in the Company field someone has access to this page can inject malicious code.

      An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.

       

      **Steps to reproduce the issue**

      1. Login as admin
      2. Create a test user
      3. Open the user profile page (https://localhost/bin/view/XWiki/<user>)
      4. Click edit button near Personal Information
      5. Edit Company field and insert for example <script> alert("Hello World!"); </script>
      6. Save & View and see the XSS in action

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mleduc Manuel Leduc
              Reporter:
              Astaruf Lorenzo Anastasi
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:
                Date of last seen failure for flicker: