Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19612

XSS in the attachment history

    XMLWordPrintable

Details

    • Unit
    • High
    • Unknown
    • N/A

    Description

      Steps to reproduce:

      1. Create a file "><img src=1 onerror=alert(1)>.jpg locally (any image will do).
      2. Attach it to a wiki page.
      3. Click on the attachments button at the bottom of the page.
      4. Click on the version number next to the filename to display the history.

      Expected result:

      1. The history is displayed and the full filename is displayed in the title.

      Actual result:

      1. An alert is displayed again and the filename in the title of the history isn't fully displayed.

      This demonstrates a persistent XSS vulnerability in the attachment history displayer (i.e., viewattachrev.vm) which should be exploitable with just write access to the user profile. As always, this can be used for privilege escalation when a user with, e.g., programming rights visits the attachment history by modifying the user profile through the injected JavaScript with the rights of the visiting user.

      Attachments

        Issue Links

          Activity

            People

              tmortagne Thomas Mortagne
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: