Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-9073

Security Issue: An unprivileged user is allowed to use HTML/JavaScript in his/her profile

    XMLWordPrintable

Details

    • security, xss
    • Unknown

    Description

      Any registered user with "View" rights only is still able to use HTML-related features of Wiki Syntax ({{html} }, (% style="..." %) etc.) in all fields of the profile (including first/last name, company, phone...).

      This can be used to create a profile worm that will be executed whenever the profile is viewed by another user (with possibly higher privileges).

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-8592 XSS in the user profile

          • Major - Major loss of function.
          • Closed

          Activity

            People

              thomas_delafosse Thomas Delafosse
              nickless Alex Busenius
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: