request #42243 XSS via the content of RSS feeds in the RSS widgets

Infos

Artifact ID#42243

Submitted byThomas Gerbet (tgerbet)

Last Modified On2025-03-31 10:17

Submitted on2025-03-20 15:01

Rank43919

Details

Summary *

XSS via the content of RSS feeds in the RSS widgets

Original Submission

The URLs of the entries of the feed are not sanitized before being rendered.

Impact

A project administrator or someone with control over an used RSS feed could use this vulnerability to force victims to execute uncontrolled code.

CVSSv3.1 score: 4.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:L)

Exploitation

Have an RSS feed somewhere with the following content:

<?xml version='1.0' encoding='UTF-8'?>
<rss version="2.0" nsmap="{'atom': 'http://www.w3.org/2005/Atom', 'content': 'http://purl.org/rss/1.0/modules/content/'}">
    <channel>
        <title>XSS Feed</title>
        <docs>http://www.rssboard.org/rss-specification</docs>
        <item>
            <title>XSS Link</title>
            <link>javascript:alert(1)</link>
            <description>Desc</description>
        </item>
</channel>
</rss>

Create a RSS widget linking to it
Access directly to widget content (issue cannot be triggered in the dashboard page), via https://tuleap.example.com/widgets/?dashboard_id=<dashboard_id>&action=ajax&name%5B<myrss || projectrss>%5D=<widget_id> (replace the item between < and > with the appropriate values)

References

CWE 84
OWASP Cross-site Scripting
CVE-2025-30203

CategoryOther

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2025-03-21

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #41092	Tuleap	Releases	16.6	Delivered	2025-03-26 17:54	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #42243

Artifact Tracker v5

request #42261 RSS widget crashes when a feed entry do not have an associated link

Git commit

tuleap/tuleap/stable

fix: request #42243 XSS via the content of RSS feeds in the RSS widgets 54cce3f5e8

Thomas Gerbet (tgerbet) , 2025-03-20 15:45

Merge commit 'refs/changes/68/33868/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 650cebc882

Marie Ange Garnier (marieange) , 2025-03-21 14:14

Show items referenced by request #42243

Referenced by request #42243

Artifact Tracker v5

rel #41092 16.6

Git commit

tuleap/tuleap/stable

fix: request #42243 XSS via the content of RSS feeds in the RSS widgets 54cce3f5e8

Thomas Gerbet (tgerbet) , 2025-03-20 15:45

Other

gerrit #33868

Follow-ups

Thomas Gerbet (tgerbet)

2025-03-31 10:17

Public disclosure.

Thomas Gerbet (tgerbet)

2025-03-27 17:37

CVE-2025-30203 has been assigned to this issue.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Marie Ange Garnier (marieange)

2025-03-21 14:15

Connected artifacts
- Added Fixed in: rel #41092

Tracker Workflow Manager (forge__tracker_workflow_manager)

2025-03-21 14:15

request fixed by @tgerbet with git #tuleap/stable/54cce3f5e883d16055cb0239e023f48cdf5eb25f.

Status changed from Under review to Closed
Close date set to 2025-03-21

Thomas Gerbet (tgerbet)

2025-03-20 15:50

See gerrit #33868.

Status changed from Under implementation to Under review