Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-4758

Reflective XSS attack possible through edit page for logged in users.

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Minor
    • 2.4 M1
    • 2.1.1
    • {Unused} Core
    • None
    • patch, xss
    • Integration
    • Unknown

    Description

      When you edit a page even if it doesn't exist, a link is shown at the top to allow you to view the same page. Script can be injected through this link.

      Logged in user sees a maliciously crafted link and clicks it, script runs.

      http://127.0.0.1:8081/xwikiTrunk/bin/edit/Main/%3Cscript%3Ealert(%22hi%22)%3B%3C%2Fscript%3E

      see: http://jira.xwiki.org/jira/browse/XWIKI-4756 for possible mitigation methods.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-5161 Using XML symbols (<, >, &, ") inside the document title/name/space breaks various parts of the UI and causes the PDF export to throw exceptions

          • Major - Major loss of function.
          • Closed

          Activity

            People

              sdumitriu Sergiu Dumitriu
              calebjamesdelisle CalebJamesDeLisle
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: