Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-8594

XSS in Main.SpaceIndex on space name

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 5.1-rc-1
    • 4.2-milestone-2
    • Index
    • None
    • Unknown
    • N/A
    • N/A

    Description

      1. Create a new space named "<script>alert('xss')</script>"
      2. Open the space index for the new space and the javascript will be executed from the livetable's 'Space' column.

      As reported on http://www.exploit-db.com/exploits/20856/

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-9336 Quotes are escaped in doc.title livetable column

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-9289 HTML code display instead of User details in Livetable containing User column

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-9493 List of wikis livetable has issue with some characters

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          links to

          Web Link New pull request

          Web Link Pull Request

          Activity

            People

              thomas_delafosse Thomas Delafosse
              enygma Eduard Moraru
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: