Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-4757

Persistant XSS vulnerabulity through document titles.

    XMLWordPrintable

Details

    • Unknown

    Description

      If a user sets a document title to include script, then it is executed on load of the document.
      The script is injected through the breadcrumb trail title below the breadcrumb trail.

      Create a document, set title to:

      <script>alert("haxd")</script>

      This also works for users who sign up with that as their first or last name because those values are set as the title of the document.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-5205 Reflected XSS in contentview.vm

          • Major - Major loss of function.
          • Closed

          Activity

            People

              nickless Alex Busenius
              calebjamesdelisle CalebJamesDeLisle
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: