You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@isis.apache.org by "Daniel Keir Haywood (Jira)" <ji...@apache.org> on 2022/08/26 15:22:00 UTC
[jira] [Updated] (ISIS-2373) Upload attachment: Preview vulnerable to XSS for html-attachments
[ https://issues.apache.org/jira/browse/ISIS-2373?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Keir Haywood updated ISIS-2373:
--------------------------------------
Fix Version/s: 2.0.0
(was: v1 maintenance)
> Upload attachment: Preview vulnerable to XSS for html-attachments
> -----------------------------------------------------------------
>
> Key: ISIS-2373
> URL: https://issues.apache.org/jira/browse/ISIS-2373
> Project: Isis
> Issue Type: Bug
> Components: Isis Viewer Wicket
> Affects Versions: 1.17.0
> Reporter: Stefan Wegener
> Priority: Critical
> Fix For: 2.0.0
>
> Attachments: isis-xss-1.png, isis-xss-2.png
>
>
> First of all: I am not sure if the topic is placed here correctly as it might only affect the wicket-Dependency that isis is using. But: As the current wicket-version (7.9.0) that is used by isis is vulnerable to it, I should be relevant to you.
>
> I created the following HTML-document named xss_box.html:
> {code:java}
> <html>
> <script language="JavaScript">
> window.alert("Sometext");
> </script>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
> </head>
> <body>...</body>
> </html>
> {code}
> When selecting this document for an upload, usually a preview of the content will be shown. In this case the client uploading the file executes the javascript code and gets a modified preview content, as you can see in my attached images.
>
> I do not know if later wicket-versions (currently the newest version is 7.16.0) are protected against this threat.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)