Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19613

XSS in the deleted attachments list

    XMLWordPrintable

Details

    • High
    • Unknown
    • N/A

    Description

      Steps to reproduce:

      1. Create a file "><img src=1 onerror=alert(1)>.jpg locally (any image will do).
      2. Go to your user profile, click edit on the avatar, select the image and press upload and select.
      3. Open the avatar editing again and press the delete button on the image.
      4. Go to the global menu, click on "Page Index" and click on "Deleted Attachments"

      Expected result:

      1. The deleted attachment is displayed with the full filename.

      Actual result:

      1. An alert is displayed and the filename in the attachment column is not fully displayed.

      This demonstrates a persistent XSS vulnerability in the deleted attachments list which should be exploitable with just write access to the user profile. As always, this can be used for privilege escalation when a user with, e.g., programming rights visits the deleted attachments by modifying the user profile through the injected JavaScript with the rights of the visiting user.

      Attachments

        Issue Links

          Activity

            People

              tmortagne Thomas Mortagne
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: