•  
      request #10228 XSS in the Google Maps plugin of PHPWiki
    Infos
    #10228
    Thomas Gerbet (tgerbet)
    2017-06-12 08:54
    2017-05-16 16:24
    10493
    Details
    XSS in the Google Maps plugin of PHPWiki

    A XSS can be injected into wiki page by using the Google Maps plugin.

    Impact

    An attacker could use this vulnerability to force a victim to execute uncontrolled code.
    CVSSv3 score: 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

    Exploitation

    1. Create a wiki page with the following content <?plugin GoogleMaps Longitude=</script><script>alert(1)</script> Latitude=0 ?>
    2. Access the page the newly created wiki page

    References

    CWE 79
    OWASP Cross-site Scripting

    Doc/Wiki
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2017-05-17
    Attachments
    Empty
    References
    Referencing request #10228
    Referenced by request #10228

    Artifact Tracker v5

    rel #10116 9.8

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2017-05-30 09:05
    Adding planned disclosure date.

    Issue has been fixed in PHPWiki by the maintainer, see revision 10007 in the PHPWiki source code repo on Sourceforge.
    User avatar
    Thomas Gerbet (tgerbet)2017-05-18 14:50
    Marc-Etienne Vargenau has acknowledged the initial contact, full vulnerability details has been transmitted.
    User avatar
    Thomas Gerbet (tgerbet)2017-05-17 15:05
    For information, the vulnerability is also present upstream. No way to report security issues is given on the Sourceforge project pages [1], I have tried to reach out directly to Marc-Etienne Vargenau which seem to be the last active maintainer. Waiting for a response.



    [1] https://sourceforge.net/projects/phpwiki/