Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-23462

Reflected Cross-Site Scripting (XSS) in Error Messages

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      The /bin/distribution/XWiki/Distribution endpoint was found to be vulnerable to reflected XSS via the extensionId and extensionVersion query parameters. When attacker-supplied values are provided in these parameters, they are reflected unescaped into the resulting error message. As a result, arbitrary JavaScript is executed in the browser of any user who follows a crafted link to this endpoint.

      Because the payload is executed when the error message is rendered, this vulnerability can be exploited without requiring the user to upload content or otherwise interact beyond clicking a malicious link.

       

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-23096 Reflected XSS vulnerability in extension and job_status_json templates

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          links to

          Web Link Security Advisory

          Activity

            People

              MichaelHamann Michael Hamann
              mikecole-mg Mike Cole
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: