request #11685 XSS through the name of a color of select box values

Artifact

Infos

Artifact ID#11685

Submitted byThomas Gerbet (tgerbet)

Last Modified On2023-02-01 15:19

Submitted on2018-06-25 16:10

Rank12097

Details

Summary *

XSS through the name of a color of select box values

Original Submission

XSS can injected in the name of a color of select box values of a tracker and then reflected in the trackers and agile dashboard plugins. While the injection point exists since a while in Tuleap, the exploitation has been made possible with story #11542 and story #11543.

Impact

An attacker could use this vulnerability to force a victim to execute uncontrolled code.
CVSSv3 score: 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Exploitation

As a tracker admin edit the color of a selectbox value and intercept the request to replace the name of the color by a payload like "><script>alert(1)</script> to demonstrate the issue.

References

CWE 79
OWASP Cross-site Scripting

CategoryTrackers

Reported in version10.2

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toEmpty

StatusClosed

Close date2018-06-25

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #11517	Tuleap	Releases	10.3	Delivered	2018-07-19 18:00	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #11685

Artifact Tracker v5

request #30734 XSS through the name of a color of select box values

Git commit

tuleap/tuleap/stable

Merge commit 'refs/changes/96/11796/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD ead4ae5837

Marie Ange Garnier (marieange) , 2018-06-25 17:51

request #11685: XSS through the name of a color of select box values eaf5b3d95a

Thomas Gerbet (tgerbet) , 2018-06-25 16:12

Show items referenced by request #11685

Referenced by request #11685

Artifact Tracker v5

story #11542 Update tracker "color picker" to have beautiful colors to associate with select box values

story #11543 Use new palette colors as background color in A.D

rel #11517 10.3

Other

Follow-ups

Thomas Gerbet (tgerbet)

2023-02-01 15:19

Public disclosure.

Marie Ange Garnier (marieange)

2018-06-25 17:52

gerrit #11796 integrated into Tuleap 10.2.99.32

Status changed from Under review to Closed
Connected artifacts
- Added Fixed in: rel #11517
Close date set to 2018-06-25

Thomas Gerbet (tgerbet)

2018-06-25 16:13

A patch is under review: gerrit #11796.

Status changed from Under implementation to Under review