You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Michael Jumper (JIRA)" <ji...@apache.org> on 2019/05/14 20:44:00 UTC
[jira] [Deleted] (GUACAMOLE-794) Cross-Site-Scripting (XSS) WebApp
Notification Modal
[ https://issues.apache.org/jira/browse/GUACAMOLE-794?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Jumper deleted GUACAMOLE-794:
-------------------------------------
> Cross-Site-Scripting (XSS) WebApp Notification Modal
> ----------------------------------------------------
>
> Key: GUACAMOLE-794
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-794
> Project: Guacamole
> Issue Type: Bug
> Reporter: Chris H
> Priority: Major
> Labels: Security, XSS, vulnerability
>
> A Cross-Site-Scripting vulnerability was found in the notification modal .
> Steps to reproduce:
> # docker run .... guacamole/guacamole (link it to the database)
> # Log in [http://xx.xx.xx.xx:8080/guacamole/]
> # Go to Settings -> Users
> # Click "New user"
> # Put in the field: "Username:" the following code
> {code:java}
> <script>alert(42)</script>
> {code}
> # Fill out other required fields
> # Press "Save"
> Result (see attachment below):
> # Alert box with content: 42
> # After pressing OK a Red HTML - message / notification modal appears containing message: 'User "" already exists'
> Excepted Result
> * Blocking such user name or
> * Safely validating untrusted HTML / Script input
> Site effects:
> It's not possible to edit this user again nor delete this user.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)