You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openmeetings.apache.org by "Maxim Solodovnik (Jira)" <ji...@apache.org> on 2021/09/07 16:19:00 UTC
[jira] [Resolved] (OPENMEETINGS-2663) XSS Cross Site Scripting
[ https://issues.apache.org/jira/browse/OPENMEETINGS-2663?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maxim Solodovnik resolved OPENMEETINGS-2663.
--------------------------------------------
Resolution: Incomplete
According to https://openmeetings.apache.org/security.html
Vulnerabilities should be reported to our security@ mailing list
This JIRA contains no details
Please provide PoC to the mailing list
Thanks in advance
> XSS Cross Site Scripting
> -------------------------
>
> Key: OPENMEETINGS-2663
> URL: https://issues.apache.org/jira/browse/OPENMEETINGS-2663
> Project: Openmeetings
> Issue Type: Bug
> Affects Versions: 6.1.0
> Environment: QA
> Reporter: Panimozhi Jothi
> Assignee: Maxim Solodovnik
> Priority: Critical
>
> We performed a vulnerability scan on the Openmeetings app and found the "Cross-Site Scripting: Reflected" issue. On checking we also [found |https://www.zaproxy.org/docs/alerts/40012/]that Apache Wicket is handled with these vulnerability.
>
> Any idea why it's reported, can you confirm is VA scan performed on Openmeetings?
>
> Sample URLS:
> https://demo-openmeetings.apache.org/openmeetings/42182
> https://demo-openmeetings.apache.org/openmeetings/error/24168
> https://demo-openmeetings.apache.org/openmeetings/hash/75168
> [https://demo-openmeetings.apache.org/openmeetings/signin/75133]
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)