Details
-
Bug
-
Resolution: Fixed
-
Major
-
2.2 M2
-
None
-
Unknown
-
Description
If a user sets a document title to include script, then it is executed on load of the document.
The script is injected through the breadcrumb trail title below the breadcrumb trail.
Create a document, set title to:
<script>alert("haxd")</script>
This also works for users who sign up with that as their first or last name because those values are set as the title of the document.
Attachments
Issue Links
- duplicates
-
XWIKI-5205 Reflected XSS in contentview.vm
- Closed