Details
-
Bug
-
Resolution: Fixed
-
Critical
-
13.10.4, 14.2.1
-
Integration
-
Medium
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
- Create a file "><img src=1 onerror=alert(1)>.jpg locally (any image will do).
- Go to any wiki page where you have edit rights, go to the attachments tab and choose the file to upload.
Expected result:
- The file is uploaded and displayed with its full filename.
Actual result:
- Three alerts with "1" as content are displayed. The notification at the bottom of the screen and the progress bar don't display the full name.
I don't really see how the upload can be exploited as this is only temporarily visible to the uploading user but this should be fixed nevertheless.
The affects version currently only reflects the tested versions, I expect that this issue has been introduce with the uploader in XWIKI-8132, i.e., XWiki 4.2-milestone-3.
This issue has originally been reported as part of XWIKI-19602, found by Aleksey Solovev (Positive Technologies), I'm creating this issue to have clear reproduction steps in the issue itself and to not to mix it with the other issues reported in the original issue.
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
-
XWIKI-21769 Self XSS in the attached filename
-
- Closed
-
- links to