Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 14.3-rc-1, 13.10.6
Affects Version/s: 1.1 M1
Component/s: Web - Templates & Resources
Labels:

Tests:

Unit
Development Priority:
High
Difficulty:
Unknown
Documentation:
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mxf2-4r22-5hq9
Documentation in Release Notes:
N/A
Similar issues:

Description

Steps to reproduce:

Create a file "><img src=1 onerror=alert(1)>.jpg locally (any image will do).
Attach it to a wiki page.
Click on the attachments button at the bottom of the page.
Click on the version number next to the filename to display the history.

Expected result:

The history is displayed and the full filename is displayed in the title.

Actual result:

An alert is displayed again and the filename in the title of the history isn't fully displayed.

This demonstrates a persistent XSS vulnerability in the attachment history displayer (i.e., viewattachrev.vm) which should be exploitable with just write access to the user profile. As always, this can be used for privilege escalation when a user with, e.g., programming rights visits the attachment history by modifying the user profile through the injected JavaScript with the rights of the visiting user.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

history-XSS.png
92 kB
06/Apr/22 11:48

Issue Links

is caused by

XWIKI-9000 Error when clicking on "View attachment history" for an attachment when not using legacy oldcore

Closed

relates to

XWIKI-19667 The move attachment form is missing escaping and some translations

Closed

links to

GitHub Security advisory

Activity

People

Assignee:: Thomas Mortagne

Reporter:: Michael Hamann

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 06/Apr/22 11:41

Updated:: 08/Sep/22 14:30

Resolved:: 14/Apr/22 17:06

Date of First Response:: 14/Apr/22 2:33 PM