Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Duplicate
Priority: Major
Fix Version/s: None
Affects Version/s: 11.10.10
Component/s: User - User Profile
Labels:
None
Environment:
http://playground.xwiki.org/

Difficulty:
Unknown
Similar issues:

Description

1) Open user profile page and edit fields "first name", "last name", "company", "phone", "blog", "blog feed" with XSS payload, e.g.

first_name"><img src=x onerror=alert('first_name')>

2) Save changes, reload page

Actual result: XSS payload executes

Expected result: JS sanitized / escaped (like in "email" or "about" field)

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

xwiki_xss_profile.png
890 kB
14/Sep/20 13:24
xwiki_xss_payload_local.png
944 kB
14/Sep/20 13:25

Issue Links

duplicates

XWIKI-9658 XSS in the user profile

Closed

Activity

People

Assignee:: Thomas Mortagne

Reporter:: Grigorii Liullin

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 14/Sep/20 13:27

Updated:: 1 week ago 18:07

Resolved:: 18/Jan/21 09:06

Date of First Response:: 18/Jan/21 9:06 AM