Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20335

RXSS with authenticate endpoints

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A

    Description

      SUBMISSION REFERENCES

      RESEARCHER INFORMATION

      • Submitter: rekter0

      SUBMISSION INFORMATION

      • Created at: Fri, 04 Nov 2022 04:27:54 GMT
      • Submission status: Archived

      REPORT CONTENT

      • Severity: Medium (5.4)
      • Domain: https://intigriti.xwiki.com/ (Url)
      • Proof of concept: ### Summary
        parts of URI reflected in body tag without proper check
          1. poc

      to trigger alertbox with access to DOM click the following URI

      ```
      https://intigriti.xwiki.com/xwiki/authenticate/wiki/xwiki%22onload=%22alert(origin)%22/resetpassword
      ```

      {52265}
      • Impact: XSS results in unauthorized code being executed/rendered by a user's browser. As a result the following may occur:

      Perform action within the application that the user can perform
      untrusted code can modify the DOM environment and retrieve/modify various values
      view any information that the user is able to view
      initiate interactions with other application users including malicious attacks that will appear to originate from the initial victim user

      Attachments

        Issue Links

          is caused by

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-19591 Local users of subwikis can't recover password or username

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            People

              surli Simon Urli
              intigriti Intigriti Integration
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: