Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-9366

XSS via FileUpload

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 5.2-milestone-2
    • 5.1
    • Security
    • None
    • Unknown
    • N/A

    Description

      We can upload any kind of file as an attachment. The issue is that we can even upload some html / js files that would be executed if someone goes to the download page.

      Attachments

        1. XWiki-9366.patch
          2 kB
          Thomas Delafosse
        2. XWiki-9366-2.patch
          7 kB
          Thomas Delafosse

        Issue Links

          Activity

            People

              thomas_delafosse Thomas Delafosse
              thomas_delafosse Thomas Delafosse
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: