Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-5170

Reflected XSS in exception trace

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 2.3.1, 2.4 M1
    • 2.3, 2.2.6, 2.4 M1
    • {Unused} Core
    • None
    • security, xss, patch
    • Integration
    • Trivial

    Description

      The detailed information shown on errors contains an unescaped stack trace, which can be used to inject JavaScript. Example using an invalid revision:

      http://localhost:8080/xwiki/bin/viewrev/Main/WebHome?rev=%3Cscript%3Ealert%28%22buh%22%29%3C%2Fscript%3E
      

      Attachments

        Activity

          People

            sdumitriu Sergiu Dumitriu
            nickless Alex Busenius
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: