Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-18568

Multiple instances of stored cross-site scripting (XSS) via editor and HTML macro

    XMLWordPrintable

Details

    • Unit
    • High
    • Unknown
    • N/A

    Description

      I have managed to trigger stored XSS in v13.2 of XWiki in default configuration. This appears to affect any field using the WYSIWYG editor. I originally found it in v11 but tested the newest version and it works there too. Any user (or guest depending on security settings) can store JavaScript within WYSIWYG fields that they have permission to edit.

      To achieve stored XSS, one can:

      1. Edit a field that uses the WYSIWYG editor
      2. click the "source" button
      3. Enter the HTML macro {{html}}
      4. Enter HTML containing an XSS payload (see proof of concept below)
      5. Close the HTML macro with {{/html}}
      6. Click "Save and View"

      Test proof-of concept:

      {{html}}<img src=a onerror="javascript:prompt(1)"/>{{/html}}

      This string displays a JavaScript prompt box with the number 1 in it, though could run malicious JavaScript inside the user's session in an attempt to perform actions as them or steal tokens.

      When quickly checking, I could trigger this on

      • User profile page - About and Address fields
      • Blog page / blog summary
      • Annotation (CTRL+M)
      • The source editor for XWiki pages
      • The FAQ page
      • (There are no-doubt more that I didn't try)

      Screenshot of executing payload attached. Let me know if you need more details or videos or if the above will suffice

       

       

       

      Attachments

        Issue Links

          Activity

            People

              surli Simon Urli
              stuartw1 Stuart Walker
              Richard Curteis
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: