Details
-
Security
-
Resolution: Fixed
-
Blocker
-
6.2-milestone-1
Description
Reproduction steps:
- As Admin go to http://localhost:8080/xwiki/bin/view/AppWithinMinutes/DeleteApplication?appName=Menu&resolve=true&xredirect=javascript:alert(document.domain)
- Click No
Expected result:
- The user is redirected to the list of applications
Obtained result:
- A javascript alert is displayed
This shows that this view can be exploited to stole information from admins.
Attachments
Issue Links
- depends on
-
XWIKI-20583 Provide a macro for sanitizing URLs in templates
- Closed
- is caused by
-
XWIKI-8757 Support 2 roles for users for app within minutes: application creator and data creator
- Closed