Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20854

Reflected XSS in the create document form if name validation is enabled

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. Enable name validation (in the administration, go to Editing -> Name strategies and select "Enabled" below "Validate names before saving").
      2. Open <xwiki-host>/xwiki/bin/create/Main/%3Cscript%3Ealert%28%27Test%20Test%20Test%20Test%20Test%27%29%3C%2Fscript%3E where <xwiki-host> is the URL of your XWiki installation

      Expected result:

      No alert is displayed.

      Actual result:

      An alert with content "Test Test Test Test Test" is displayed.

      This demonstrates an XSS vulnerability in the create action.

      Attachments

        Issue Links

          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-16861 Define name cleanup strategies and prevent creation of pages with "/" and "\" in the name by default

          • Major - Major loss of function.
          • Closed
          links to

          Web Link Security Advisory

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: