CVE-2020-13654

XWiki Platform before 12.8 mishandles escaping in the property displayer.

CVE Detail

In XWiki Platform before 12.8, some fileds like "Company" in the user profile editing section are vulnerables to Stored Cross Site Scripting (XSS).

Exploitation Steps

As I first reported at https://jira.xwiki.org/browse/XWIKI-17374, I report below the steps describing the identified vulnerability.

Some fileds like "Company" in the user profile editing section, are vulnerables to Cross Site Scripting XSS.

So, inserting for example "<script> alert("XSS Cross Site Scripting in this field !!!"); </script>" in the Company field someone has access to this page can inject malicious code.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.

Following are the steps to reproduce the vulnerability:

  1. Login as admin

  2. Create a test user

  3. Open the user profile page (https://localhost/bin/view/XWiki/<user>)

  4. Click edit button near Personal Information

  5. Edit Company field and insert for example <script> alert("Hello World!"); </script>

  6. Save & View and see the XSS in action

Last updated