Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #7840 XSS when importing artifacts in tracker
    Actions
    Infos
    #7840
    Thomas Gerbet (tgerbet)
    2015-03-04 16:22
    2015-02-04 15:57
    7846
    Details
    XSS when importing artifacts in tracker

    XSS could be injected when artifacts are imported into a tracker v5.

    Impact

    An attacker could use this vulnerability to force a victim to execute uncontrolled code.
    CVSS2 score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

    Exploitation

    An example is provided as attachment.

    References

    https://cwe.mitre.org/data/definitions/79.html
    https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2015-02-05
    Attachments
    Artifact links
    Empty
    By Thomas Gerbet (tgerbet)
    (278 B)
    artifact_xss.csv
    Trigger the vuln
    By Thomas Gerbet (tgerbet)
    (27 kB)
    Tracker_xss.xml
    Tracker structure
    References
    Referencing request #7840

    Artifact Tracker v5

    rel #7520 7.10

    Git commit

    tuleap/tuleap/stable

    Merge commit 'refs/changes/04/3604/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 2ef8c41fc5
    User avatar Benjamin Dauton (bdauton_enalean) , 2015-02-05 10:17
    request #7840: Fix XSS when importing artifacts in tracker cc48a4dfa1
    User avatar Thomas Gerbet (tgerbet) , 2015-02-04 16:21

    tuleap/u/vaceletm/tuleap/dev

    Merge commit 'refs/changes/04/3604/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 2ef8c41fc5
    User avatar Benjamin Dauton (bdauton_enalean) , 2015-02-05 10:17
    request #7840: Fix XSS when importing artifacts in tracker cc48a4dfa1
    User avatar Thomas Gerbet (tgerbet) , 2015-02-04 16:21

    Release

    release #100
    Referenced by request #7840

    Other

    gerrit #3604
    Display settings

    Follow-ups