Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Duplicate
Priority: Blocker
Fix Version/s: None
Affects Version/s: 13.10.3
Component/s: Skin - Skinx
Labels:

Development Priority:
High
Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

It's possible to perform a XSS in JSX "on demand" or "on this document" which don't requires PR, just by creating a new JSX with edit right, and waiting for a PR user to execute it when accessing the page.
By doing so, we can request a PR user to create a page, or modify it, using any REST (or HTTP) request on the targeted wiki.
Basically it allows privilege escalation.

Attachments

Issue Links

duplicates

XWIKI-9119 JavaScriptExtension enables any user with edit right to execute any script he wants

Closed

is related to

XRENDERING-663 XSS Javascript injection via XWiki 2.x syntax

Closed

XWIKI-9118 XSS in restricted context via html macro

Closed

relates to

XWIKI-18049 Improve the html escaping mechanism for XSS protection

Closed

XWIKI-19421 JSX XObjects with Use this extension=On this wiki requires PR rights

Closed

Activity

People

Assignee:: Simon Urli

Reporter:: Simon Urli

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 10/Mar/22 15:21

Updated:: 12/Apr/23 13:50

Resolved:: 10/Mar/22 16:20