•  
      request #7889 Persistent XSS in cross reference
    Infos
    #7889
    Thomas Gerbet (tgerbet)
    2015-03-04 16:22
    2015-02-26 14:25
    7895
    Details
    Persistent XSS in cross reference

    A persistent XSS could be injected into the description or the link of a cross reference.

    Impact

    An attacker could use this vulnerability to force a victim to execute uncontrolled code.
    CVSS2 score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

    Exploitation

    As a project admin create a new cross reference and put <script>alert(1)</script> in the cross reference description and/or the link. You can then go to <tuleap_url>/project/showdetails.php?group_id=<project_id> to trigger the vulnerability.

    References

    https://cwe.mitre.org/data/definitions/79.html
    https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

    Other
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2015-03-02
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Merged in 7.10.99.59

    • Status changed from Under review to Closed
    • Close date set to 2015-03-02