Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-17568

HQL injection in getdocuments.vm with sort parameter

    XMLWordPrintable

Details

    • Low
    • Unknown
    • N/A

    Description

      In getdocument.vm ; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject HQL ; see https://github.com/xwiki/xwiki-platform/blob/029c324dc3eeac1401210b420460bdfb970346e7/xwiki-platform-core/xwiki-platform-web/src/main/webapp/templates/getdocuments.vm#L75

      Attachments

        Activity

          People

            camil7 Clemens Robbenhaar
            caubin Clément Aubin
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: