•  
      request #22570 XSS via the name of a deleted attachment
    Infos
    #22570
    Thomas Gerbet (tgerbet)
    2021-10-15 10:57
    2021-07-26 13:07
    24044
    Details
    XSS via the name of a deleted attachment

    The file name is not properly escaped in the changeset diff of tracker artifact view.

    Impact

    A malicious user with the capability to add and remove attachment to an artifact could force a victim to execute uncontrolled code. CVSSv3.1 score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

    Exploitation

    The issue can be demonstrated by adding a file named <img src=a onerror=alert(1)> to an artifact and then delete it.

    References

    CWE 79
    OWASP Cross-site Scripting
    CVE-2021-41142

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2021-07-26
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2021-10-15 10:57
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2021-10-15 08:54

    CVE-2021-41142 has been assigned to this issue.


    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes