Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
15.9-rc-1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
- As a user without script right, create an object of type XWiki.Notifications.Code.NotificationDisplayerClass on any document. Set "Event Typ" to "update" and "Notification template" to <script>alert('XSS')</script>.
- As a user with admin right, edit the document.
Expected result:
A warning is displayed as editing grants the object admin right which is required for it to be active.
Actual result:
No warning is displayed. After editing the document, an alert is displayed for any notification about a document update and the notification itself isn't displayed anymore. Note that it is not possible to directly execute Velocity code using this vulnerability as the analyzer detects Velocity code and warns the admin before editing it.
Attachments
Issue Links
- links to