You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@guacamole.apache.org by "Michael Jumper (JIRA)" <ji...@apache.org> on 2019/05/14 20:44:00 UTC

[jira] [Deleted] (GUACAMOLE-794) Cross-Site-Scripting (XSS) WebApp Notification Modal

     [ https://issues.apache.org/jira/browse/GUACAMOLE-794?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Jumper deleted GUACAMOLE-794:
-------------------------------------


> Cross-Site-Scripting (XSS) WebApp Notification Modal
> ----------------------------------------------------
>
>                 Key: GUACAMOLE-794
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-794
>             Project: Guacamole
>          Issue Type: Bug
>            Reporter: Chris H
>            Priority: Major
>              Labels: Security, XSS, vulnerability
>
> A Cross-Site-Scripting vulnerability was found in the notification modal .
> Steps to reproduce:
>  # docker run ....  guacamole/guacamole (link it to the database)
>  # Log in [http://xx.xx.xx.xx:8080/guacamole/]
>  # Go to Settings -> Users
>  # Click "New user"
>  # Put in the field: "Username:" the following code
> {code:java}
> <script>alert(42)</script>
> {code}
>  # Fill out other required fields
>  # Press "Save"
> Result (see attachment below):
>  # Alert box with content: 42
>  # After pressing OK a Red HTML - message / notification modal appears containing message: 'User "" already exists'
> Excepted Result
>  * Blocking such user name or
>  * Safely validating untrusted HTML / Script input
> Site effects:
> It's not possible to edit this user again nor delete this user.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)