Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-5193

SQL injection and reflected XSS in browsewysiwyg.vm

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 2.4
    • 2.3, 2.2.6, 2.4
    • None
    • security, xss, sql injection, patch
    • Integration
    • Trivial

    Description

      HQL injection over "text" parameter:

      http://localhost:8080/xwiki/bin/view/Main/WebHome?xpage=browsewysiwyg&text=%27buh
      

      XSS over space:

      http://localhost:8080/xwiki/bin/view/"><script>alert(1)<%2Fscript><div+id%3D"/WebHome?xpage=browsewysiwyg
      

      Attachments

        1. XWIKI-5193-fix.patch
          3 kB
          Alex Busenius
        2. XWIKI-5193-test-updated.patch
          3 kB
          Alex Busenius

        Activity

          People

            sdumitriu Sergiu Dumitriu
            nickless Alex Busenius
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: