Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #11061 XSS through wiki attachment
    Actions
    Infos
    #11061
    Thomas Gerbet (tgerbet)
    2018-03-05 18:19
    2018-01-31 10:38
    11391
    Details
    XSS through wiki attachment

    XSS can be injected via a wiki attachment.

    Impact

    An attacker could use this vulnerability to force a victim to execute uncontrolled code.
    CVSSv3 score: 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

    Exploitation

    Add a wiki attachment named xss.html with the following content: <html><body><script>alert(1)</script></body></html>

    References

    CWE 79
    OWASP Cross-site Scripting

    Doc/Wiki
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2018-02-01
    Attachments
    Empty
    References
    Referencing request #11061

    Git commit

    tuleap/tuleap/stable

    Merge commit 'refs/changes/38/10438/3' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 26c1a2b7cc
    User avatar Nicolas Terray (nterray) , 2018-02-01 15:24
    request #11061: XSS through wiki attachment 801bfda3ba
    User avatar Thomas Gerbet (tgerbet) , 2018-01-31 10:53
    Referenced by request #11061

    Artifact Tracker v5

    rel #10968 9.18

    Other

    gerrit #10438
    Display settings

    Follow-ups