Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
14.9, 13.10.10
-
Windows 11 Pro 64bit, Firefox 106, using an instance of XWiki 13.10.10 on MariaDB 10.6, Tomcat 9.0.68
-
Unknown
-
N/A
-
N/A
-
Description
STEPS TO REPRODUCE
- Create an user U1 and deny the Script right for it from Administer Wiki > Users & Rights > Rights
- Login with the user U1 and go its user profile
- Click "Edit profile" button and paste the following under About section (in Source):
{{liveData id="movies" properties="title,description"}} { "data": { "count": 1, "entries": [ { "title": "Meet John Doe", "url": "https://www.imdb.com/title/tt0033891/", "description": "<img onerror='alert(1)' src='foo' />" } ] }, "meta": { "propertyDescriptors": [ { "id": "title", "name": "Title", "visible": true, "displayer": {"id": "link", "propertyHref": "url"} }, { "id": "description", "name": "Description", "visible": true, "displayer": "html" } ] } } {{/liveData}}
- Click 'Save & View'
EXPECTED RESULTS
No alert is displayed.
ACTUAL RESULTS
An alert popup with content "1" is displayed.
The issue reproduces also on XWiki 14.9.
Note: another reproduction step is to use the same user without script right and to make it edit an AWM (e.g., http://localhost:8080/xwiki/bin/view/Help/Applications/Movies/Meet%20John%20Doe) and to edit the poster field with the same live data macro.
Attachments
Issue Links
- depends on
-
XWIKI-20373 Privilege escalation via properties with wiki syntax that are executed with the wrong author
- Closed
- relates to
-
XWIKI-20143 Stored XSS via the HTML displayer in Live Data
- Closed
- links to