CVE-2020-13654
XWiki Platform before 12.8 mishandles escaping in the property displayer.
Last updated
XWiki Platform before 12.8 mishandles escaping in the property displayer.
Last updated
In XWiki Platform before 12.8, some fileds like "Company" in the user profile editing section are vulnerables to Stored Cross Site Scripting (XSS).
| Product | CVE | Owner | CVSSv3 Score | CWE |
|---|---|---|---|---|
As I first reported at https://jira.xwiki.org/browse/XWIKI-17374, I report below the steps describing the identified vulnerability.
Some fileds like "Company" in the user profile editing section, are vulnerables to Cross Site Scripting XSS.
So, inserting for example "<script> alert("XSS Cross Site Scripting in this field !!!"); </script>" in the Company field someone has access to this page can inject malicious code.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.
Following are the steps to reproduce the vulnerability:
Login as admin
Create a test user
Open the user profile page (https://localhost/bin/view/XWiki/<user>)
Click edit button near Personal Information
Edit Company field and insert for example <script> alert("Hello World!"); </script>
Save & View and see the XSS in action
7.5 High