•  
      request #7788 Persistent XSS in attachment of artifact
    Infos
    #7788
    Thomas Gerbet (tgerbet)
    2015-03-04 16:22
    2015-01-22 16:39
    7790
    Details
    Persistent XSS in attachment of artifact

    A persistent XSS could be injected through an attachment of an artifact.

    Impact

    An attacker could use this vulnerability to force a victim to execute uncontrolled code.
    CVSS2 score : 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

    Exploitation

    Join a HTML page with some JS to an artifact.

    References

    https://cwe.mitre.org/data/definitions/79.html
    https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2015-01-23
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    It introduces a regression in User eXperience as images can no longer be opened in the browser :(
    User avatar
    dylan bowden (dylan)2015-01-23 09:56
    Integrated in Tuleap 7.9.99.57

    • Status changed from Under review to Closed
    • Close date set to 2015-01-23
    User avatar
    Thomas Gerbet (tgerbet)2015-01-22 17:13
    A patch is under review: gerrit #3507.

    • Summary
      -Persistent XSS in attachement of artifact 
      +Persistent XSS in attachment of artifact 
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Status changed from New to Under review