[MRM-1972] Stored XSS in Web UI Organization Name - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.2.3
Fix Version/s: 2.2.4
Component/s: Web Interface
Labels:
None
Environment:
Windows 10

Description

UI Configuration->Configure appearance and the Name field is vulnerable to stored XSS.

Only the System Administrator role and its child role the Archiva System Administrator role can use it for privilege escalation.

The inserted code is shown to everybody on every page.

Looks like a similar bug in 1.3.x, but this is 2.2.3 version.

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

Stored_XSS.PNG
22/Feb/18 23:27
138 kB
Viktor Gazdag
Setup.PNG
22/Feb/18 23:38
79 kB
Viktor Gazdag

Activity

People

Assignee:: Martin Schreier

Reporter:: Viktor Gazdag

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 22/Feb/18 23:38

Updated:: 10/Mar/19 16:06

Resolved:: 10/Mar/19 16:06