Uploaded image for project: 'Apache Jena'
  1. Apache Jena
  2. JENA-1123

Cross Site Scripting (XSS) vulnerability on Fuseki 2.3.1

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • Fuseki 2.3.1
    • Fuseki 2.4.0
    • Fuseki

    Description

      In fuseki web interface, dataset.html page -> tab "query"
      it's possible to write query like:

      SELECT 
      ("<b>hello</b>" AS ?Y)
      ("<script>alert(document.domain)</script>" AS ?X) 
WHERE { }

      that show a pop-up with hostname.
      Probably the problem is with the YASQE dependency.

      Attachments

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            andy Andy Seaborne
            massimiliano.ricci@gmail.com Massimiliano Ricci
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment