•  
      request #43693 XSS when displaying the children of a parent artifact
    Infos
    #43693
    Thomas Gerbet (tgerbet)
    2025-07-22 14:46
    2025-07-03 09:55
    45383
    Details
    XSS when displaying the children of a parent artifact

    The display of children of a parent artifact in the artifact link field are not sanitized.

    Impact

    A malicious user with some control over some artifacts could use this vulnerability to force victims to execute uncontrolled code.

    CVSSv3.1 score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L)

    Exploitation

    1. Have an artifact with a parent in a tracker that does not use the unified artifact link field
    2. Add a child to the parent artifact
    3. Change your realname to something like <img src=a onerror=alert(1)>
    4. Open the children list on the artifact view

    References

    CWE 79
    OWASP Cross-site Scripting
    CVE-2025-53541

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Antoine Sauzeau (antoinesauzeau)
    Closed
    2025-07-07
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2025-07-07 17:00

    CVE-2025-53541 has been assigned to this issue.


    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2025-07-07 15:05
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2025-07-03 12:36
    • Assigned to changed from Thomas Gerbet (tgerbet) to Antoine Sauzeau (antoinesauzeau)