Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-8592

XSS in the user profile

    XMLWordPrintable

Details

    • Easy
    • N/A
    • N/A

    Description

      XSS possible in the user profile through the default fields:

      • first_name
      • last_name
      • company
      • phone
      • blog
      • blogfeed

      For the email field I`ve also noticed that the inline edit form is affected if an html element is filled in at the end of the email.

      As reported by http://www.exploit-db.com/exploits/20856/

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-9073 Security Issue: An unprivileged user is allowed to use HTML/JavaScript in his/her profile

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-9652 Obfuscate e-mail address does not work anymore

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-9653 User Picker doesn't display a correct value on the User Profile page in view mode

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-9655 Links don't work any more in the comment and address user profile fields

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-9658 XSS in the user profile

          • Major - Major loss of function.
          • Closed

          Activity

            People

              enygma Eduard Moraru
              enygma Eduard Moraru
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: