Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Critical
Fix Version/s: 16.8.0, 16.4.4, 15.10.13
Affects Version/s: 13.5-rc-1
Component/s: WYSIWYG Editor
Labels:
- attacker_view
- security

Tests:

Unit
Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

Steps to reproduce:

Open <xwiki-host>/xwiki/bin/view/Main/?foo=bar&foo_syntax=invalid&RequiresHTMLConversion=foo&xerror=https://www.example.com where <xwiki-host> is the URL of your XWiki installation.

Expected result:

No redirect is performed, an error is possibly displayed.

Actual result:

The browser is redirected to https://www.example.com. This demonstrates an open redirect vulnerability that could be used, e.g., for phishing attacks.

This has been reported on SonarCloud, see https://sonarcloud.io/project/issues?open=AXnpAhzJDDFOvAKXAQy3&id=org.xwiki.platform%3Axwiki-platform.

Attachments

Issue Links

links to

Security Advisory

Activity

People

Assignee:: Michael Hamann

Reporter:: Michael Hamann

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 05/Sep/24 13:55

Updated:: 22/Apr/25 13:52

Resolved:: 27/Sep/24 17:59