•  
      request #11171 Downloading a file of the FRS from the webdav web browser plugin can lead to XSS
    Infos
    #11171
    Thomas Gerbet (tgerbet)
    2018-03-06 09:45
    2018-02-20 10:00
    11504
    Details
    Downloading a file of the FRS from the webdav web browser plugin can lead to XSS

    Downloading a file sotred in the FRS form the webdav browser plugin can lead to XSS.

    Impact

    An attacker could use this vulnerability to force a victim to execute uncontrolled code.
    CVSSv3 score: 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

    Exploitation

    Add a file in the FRS named xss.html with the following content: <html><body><script>alert(1)</script></body></html> and then download it from the webdav browser plugin.

    References

    CWE 79
    OWASP Cross-site Scripting

    Other
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2018-02-23
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2018-02-20 10:52
    A patch is under review: gerrit #10617.

    • Summary
      -Downloading a file of the FRS from the webdav webbrowser plugin can lead to XSS 
      +Downloading a file of the FRS from the webdav web browser plugin can lead to XSS 
    • Status changed from Under implementation to Under review