Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Major
Fix Version/s: 2.3.1, 2.4 M1
Affects Version/s: 2.2.3, 2.3, 2.4 M1
Component/s: Web - Templates & Resources
Labels:
None

keywords:
security, xss, patch
Tests:

Integration
Difficulty:
Unknown
Similar issues:

Description

It is possible to inject JavaScript at several places (at least 1 in JavaScript and 2 in HTML) when passing a script as the "editor" parameter. Example:

http://localhost:8080/xwiki/bin/edit/Main/WebHome?&editor=%22;%20alert%28%22js%22%29;%2F%2F%3E%3Cscript%3Ealert%28%22html%22%29%3C%2Fscript%3E

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

XWIKI-5164-fix.patch
5 kB
10/May/10 08:38
XWIKI-5164-test.patch
2 kB
10/May/10 08:38

Activity

People

Assignee:: Sergiu Dumitriu

Reporter:: Alex Busenius

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 05/May/10 13:43

Updated:: 02/Dec/22 10:45

Resolved:: 17/May/10 00:34

Date of First Response:: 17/May/10 12:03 AM