Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-6720

XSS possible in the Activity stream trough User Statuses and User Messages

    XMLWordPrintable

Details

    • xss activity stream user status
    • Unknown

    Description

      User statuses and User messages allow HTML comment.

      This also allows JavaScript that is extremely dangerous.

      It also allows to target a specific user, a group of users or all the users of a wiki.

      Tested and reproducible starting with XWiki 3.0.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-6740 PR leak in Activity Stream

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              thomas_delafosse Thomas Delafosse
              enygma Eduard Moraru
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: