Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-4758

Reflective XSS attack possible through edit page for logged in users.

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Minor
    • 2.4 M1
    • 2.1.1
    • {Unused} Core
    • None
    • patch, xss
    • Integration
    • Unknown

    Description

      When you edit a page even if it doesn't exist, a link is shown at the top to allow you to view the same page. Script can be injected through this link.

      Logged in user sees a maliciously crafted link and clicks it, script runs.

      http://127.0.0.1:8081/xwikiTrunk/bin/edit/Main/%3Cscript%3Ealert(%22hi%22)%3B%3C%2Fscript%3E
      

      see: http://jira.xwiki.org/jira/browse/XWIKI-4756 for possible mitigation methods.

      Attachments

        1. XWIKI-4758-fix.patch
          4 kB
          Alex Busenius
        2. XWIKI-4758-test-v2.patch
          3 kB
          Alex Busenius
        3. XWIKI-4758-test-v3.patch
          3 kB
          Alex Busenius

        Issue Links

          Activity

            People

              sdumitriu Sergiu Dumitriu
              calebjamesdelisle CalebJamesDeLisle
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: