Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20612

RXSS via xredirect parameter in deletespace template

    XMLWordPrintable

Details

    • Unknown
    • N/A

    Description

      Reproduction steps:

      Expected result:

      • You're redirected to the Sandbox page

      Obtained result:

      • you see an alert

      This shows that it's possible to exploit this kind of URL for XSS.
      Note that this issue might be mitigated by the fact that this feature is not used anymore in XS, so it could be surprising to request an admin to go there. Now it's still a feature bundled so it could be exploited.

      Attachments

        Issue Links

          Activity

            People

              surli Simon Urli
              surli Simon Urli
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: