Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-22470

No warning when granting XWiki.Notifications.Code.NotificationDisplayerClass admin right

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. As a user without script right, create an object of type XWiki.Notifications.Code.NotificationDisplayerClass on any document. Set "Event Typ" to "update" and "Notification template" to <script>alert('XSS')</script>.
      2. As a user with admin right, edit the document.

      Expected result:

      A warning is displayed as editing grants the object admin right which is required for it to be active.

      Actual result:

      No warning is displayed. After editing the document, an alert is displayed for any notification about a document update and the notification itself isn't displayed anymore. Note that it is not possible to directly execute Velocity code using this vulnerability as the analyzer detects Velocity code and warns the admin before editing it.

      Attachments

        Issue Links

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: