Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-4876

Security issue: First comment in a profile is mistaken for the personal information

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 2.4
    • 2.2 RC1, 2.3 M1
    • None
    • None
    • Linux, Jetty + HSQLDB, colibri skin
    • security, xss
    • Integration
    • Unknown

    Description

      The first comment in a profile is displayed in the "About" field of the profile, allowing any user with "Comment" rights to change parts of the profile of other users. Since currently comments can contain JavaScript (see XWIKI-4875), this can be used to insert a profile worm into the profile of a more privileged user (e.g. Admin).

      To reproduce, write the following text as first comment on the user profile:

      {{html}}<script>alert("html")</script>{{/html}}

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. XAADMINISTRATION-157 When there are comments on a user profile, the content of the first comment is used as the "About" information

          • Major - Major loss of function.
          • Closed

          Activity

            People

              sdumitriu Sergiu Dumitriu
              nickless Alex Busenius
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: