Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
2.4 M2
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
- As a simple user with no script right, edit the user profile with the object editor and add an object of type "Template Provider Class". Set the name to "My Template", set template to any page on the wiki. In "Creation Restrictions", enter <img onerror="alert(1)" src="https://www.example.com". Accept the suggestion to add this string in the dropdown. Click "Save & View"
- As any user with edit right, open <xwiki-host>/xwiki/bin/create/Main/WebHome?parent=&templateprovider=XWiki.<username>&name=foo&spaceReference=Bar, where <xwiki-host> is the URL of your XWiki installation and <username> is the username of the attacker.
Expected result:
An error message Allowed space for 'XWiki.username': <img onerror="alert(1)" src="https://www.example.com" is displayed.
Actual result:
An alert with content "1" is displayed and the whole form is wrapped in an error box.
While this issue existed since XWiki 2.4 M2, it is not really a security issue until 7.2 where script right was introduced.
Attachments
Issue Links
- is caused by
-
XWIKI-5237 Allow to provide document templates on document creation
-
- Closed
-
- links to