Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20341

RXSS in Delete Template via redirect parameter

    XMLWordPrintable

Details

    • Unknown
    • N/A

    Description

      SUBMISSION REFERENCES

      RESEARCHER INFORMATION

      • Submitter: renniepak

      SUBMISSION INFORMATION

      • Created at: Mon, 07 Nov 2022 11:20:22 GMT
      • Submission status: Archived

      REPORT CONTENT

      I found a Reflected Cross-Site Scripting vulnerability on your website https://intigriti.xwiki.com:

        1. Reproduction
          1. Navigate to: https://intigriti.xwiki.com/xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain)
          2. Click the cancel button
        1. Result
          As soon as you click the cancel button our XSS payload triggers:
      {203485}
      • Impact: If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:
      • Perform any action within the application that the user can perform.
      • View any information that the user is able to view.
      • Modify any information that the user is able to modify.
      • Personal data involved: No
      • Recommended solution: In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures:
      • *Filter input on arrival.* At the point where user input is received, filter as strictly as possible based on what is expected or valid input.
      • *Encode data on output.* At the point where user-controllable data is output in HTTP responses, encode the output to prevent it from being interpreted as active content. Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
      • *Use appropriate response headers.* To prevent XSS in HTTP responses that aren't intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend.
      • *Content Security Policy.* As a last line of defense, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.
      • Endpoint: https://intigriti.xwiki.com/xwiki/bin/get/FlamingoThemes/Cerulean
      • Type: Reflected Cross-Site Scripting
      • Attachments: Screenshot 2022-11-07 121945.png

      Attachments

        Issue Links

          depends on

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-20583 Provide a macro for sanitizing URLs in templates

          • Major - Major loss of function.
          • Closed
          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-10198 Implement "create/delete/rename" actions in Flamingo

          • Major - Major loss of function.
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-20672 RXSS vulnerability in Delete Template via redirect parameter

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            People

              surli Simon Urli
              intigriti Intigriti Integration
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: