Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-5191

Reflected XSS in attachmentsinline.vm

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 2.4
    • 2.3, 2.2.6, 2.4 RC1
    • None
    • security, xss, patch
    • Integration
    • Trivial

    Description

      Injection over "xredirect", example:

      http://localhost:8080/xwiki/bin/view/Main/?viewer=attachments&xredirect=%22;alert%285%29;%2F%2F%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E
      

      Attachments

        1. XWIKI-5191-fix.patch
          4 kB
          Alex Busenius
        2. XWIKI-5191-test-updated.patch
          1 kB
          Alex Busenius

        Activity

          People

            sdumitriu Sergiu Dumitriu
            nickless Alex Busenius
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: