Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-17795

Stored XSS on user profile page

    XMLWordPrintable

Details

    • Unknown

    Description

      1) Open user profile page and edit fields "first name", "last name", "company", "phone", "blog", "blog feed" with XSS payload, e.g. 

      first_name"><img src=x onerror=alert('first_name')>

       2) Save changes, reload page

      Actual result: XSS payload executes

      Expected result: JS sanitized / escaped (like in "email" or "about" field)

      Attachments

        1. xwiki_xss_payload_local.png
          944 kB
          Grigorii Liullin
        2. xwiki_xss_profile.png
          890 kB
          Grigorii Liullin

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-9658 XSS in the user profile

          • Major - Major loss of function.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              jay_from_future Grigorii Liullin
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: