Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-17568

HQL injection in getdocuments.vm with sort parameter

    XMLWordPrintable

Details

    • Low
    • Unknown
    • N/A

    Description

      In getdocument.vm ; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject HQL ; see https://github.com/xwiki/xwiki-platform/blob/029c324dc3eeac1401210b420460bdfb970346e7/xwiki-platform-core/xwiki-platform-web/src/main/webapp/templates/getdocuments.vm#L75

      Attachments

        Issue Links

          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-8320 Delete space should list all pages that are going to be deleted

          • Major - Major loss of function.
          • Closed

          Activity

            People

              camil7 Clemens Robbenhaar
              caubin Clément Aubin
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: