•  
      request #22570 XSS via the name of a deleted attachment
    Infos
    #22570
    Thomas Gerbet (tgerbet)
    2021-10-15 10:57
    2021-07-26 13:07
    23845
    Details
    XSS via the name of a deleted attachment

    The file name is not properly escaped in the changeset diff of tracker artifact view.

    Impact

    A malicious user with the capability to add and remove attachment to an artifact could force a victim to execute uncontrolled code. CVSSv3.1 score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

    Exploitation

    The issue can be demonstrated by adding a file named <img src=a onerror=alert(1)> to an artifact and then delete it.

    References

    CWE 79
    OWASP Cross-site Scripting
    CVE-2021-41142

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2021-07-26
    Attachments
    Empty
    References

    Follow-ups

    • User avatar
      Thomas Gerbet (tgerbet)2021-10-15 10:57
      • Original Submission
        Something went wrong, the follow up content couldn't be loaded
        Only formatting have been changed, you should switch to markup to see the changes
    • User avatar
      Thomas Gerbet (tgerbet)2021-10-15 08:54

      CVE-2021-41142 has been assigned to this issue.


      • Original Submission
        Something went wrong, the follow up content couldn't be loaded
        Only formatting have been changed, you should switch to markup to see the changes
    • User avatar
      Thomas Gerbet (tgerbet)2021-10-14 10:39

      Public disclosure.

    • User avatar
      Joris MASSON (jmasson)2021-07-26 14:51

      gerrit #23510 integrated in Tuleap 12.11.99.25


      • Status changed from Under review to Closed
      • Connected artifacts
      • Close date set to 2021-07-26
    • User avatar
      Thomas Gerbet (tgerbet)2021-07-26 13:47
      • Reported in version set to All
    • User avatar
      Thomas Gerbet (tgerbet)2021-07-26 13:47

      Patch under review: gerrit #23510.


      • Status changed from Under implementation to Under review