Details
-
Bug
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
2.2.3
-
None
-
Windows 10
Description
UI Configuration->Configure appearance and the Name field is vulnerable to stored XSS.
Only the System Administrator role and its child role the Archiva System Administrator role can use it for privilege escalation.
The inserted code is shown to everybody on every page.
Looks like a similar bug in 1.3.x, but this is 2.2.3 version.