You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@openmeetings.apache.org by "Maxim Solodovnik (Jira)" <ji...@apache.org> on 2021/09/07 16:19:00 UTC

[jira] [Resolved] (OPENMEETINGS-2663) XSS Cross Site Scripting

     [ https://issues.apache.org/jira/browse/OPENMEETINGS-2663?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Maxim Solodovnik resolved OPENMEETINGS-2663.
--------------------------------------------
    Resolution: Incomplete

According to https://openmeetings.apache.org/security.html
Vulnerabilities should be reported to our security@ mailing list

This JIRA contains no details
Please provide PoC to the mailing list

Thanks in advance

> XSS Cross Site Scripting 
> -------------------------
>
>                 Key: OPENMEETINGS-2663
>                 URL: https://issues.apache.org/jira/browse/OPENMEETINGS-2663
>             Project: Openmeetings
>          Issue Type: Bug
>    Affects Versions: 6.1.0
>         Environment: QA
>            Reporter: Panimozhi Jothi
>            Assignee: Maxim Solodovnik
>            Priority: Critical
>
> We performed a vulnerability scan on the Openmeetings app and found the "Cross-Site Scripting: Reflected" issue. On checking we also [found |https://www.zaproxy.org/docs/alerts/40012/]that Apache Wicket is handled with these vulnerability. 
>  
> Any idea why it's reported, can you confirm is VA scan performed on Openmeetings?
>  
> Sample URLS:
> https://demo-openmeetings.apache.org/openmeetings/42182
> https://demo-openmeetings.apache.org/openmeetings/error/24168
> https://demo-openmeetings.apache.org/openmeetings/hash/75168
> [https://demo-openmeetings.apache.org/openmeetings/signin/75133]
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)