Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20672

RXSS vulnerability in Delete Template via redirect parameter

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Blocker
    • 15.1, 14.10.6
    • 6.0-rc-1
    • Flamingo Skin
    • Windows 11 Pro, Firefox 110, using a local instance of XWiki 14.10.5 on MySQL 8, Tomcat 9.0.71
    • Unknown
    • N/A

    Description

      Steps to reproduce

      1. Go to <server>xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain)
      2. Click 'Cancel' button

      Expected results

      No trigger should be displayed.

      Actual results

      A trigger confirmation dialog is displayed.

      Attachments

        Issue Links

          Activity

            People

              surli Simon Urli
              iandriuta Ilie Andriuta
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: