Details
-
Bug
-
Resolution: Invalid
-
Major
-
None
-
17.6.0
-
stable-postgres-tomcat Docker image
-
Unknown
-
Description
XWiki allows users to upload attachments to pages. In the tested configuration, it was possible to upload files with active script content, such as SVG and HTML documents containing embedded JavaScript. These files were stored by XWiki and served back without sanitisation or content-type restrictions. When another user accessed the uploaded file directly in their browser, the malicious script executed in their context.
Because the uploaded file is persistent and accessible to any viewer, this constitutes a stored XSS vulnerability. An attacker could craft a file that executes JavaScript when opened, then attach it to a page. Other users viewing the file would have their browser sessions compromised.
