Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-5164

Reflected XSS for logged in users over editor parameter

    XMLWordPrintable

Details

    • security, xss, patch
    • Integration
    • Unknown

    Description

      It is possible to inject JavaScript at several places (at least 1 in JavaScript and 2 in HTML) when passing a script as the "editor" parameter. Example:

      http://localhost:8080/xwiki/bin/edit/Main/WebHome?&editor=%22;%20alert%28%22js%22%29;%2F%2F%3E%3Cscript%3Ealert%28%22html%22%29%3C%2Fscript%3E
      

      Attachments

        Activity

          People

            sdumitriu Sergiu Dumitriu
            nickless Alex Busenius
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: