You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@archiva.apache.org by "Martin Stockhammer (JIRA)" <ji...@apache.org> on 2019/03/10 09:09:00 UTC
[jira] [Assigned] (MRM-1972) Stored XSS in Web UI Organization Name
[ https://issues.apache.org/jira/browse/MRM-1972?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Stockhammer reassigned MRM-1972:
---------------------------------------
Assignee: Martin Stockhammer
> Stored XSS in Web UI Organization Name
> --------------------------------------
>
> Key: MRM-1972
> URL: https://issues.apache.org/jira/browse/MRM-1972
> Project: Archiva
> Issue Type: Bug
> Components: Web Interface
> Affects Versions: 2.2.3
> Environment: Windows 10
> Reporter: Viktor Gazdag
> Assignee: Martin Stockhammer
> Priority: Minor
> Fix For: 2.2.4
>
> Attachments: Setup.PNG, Stored_XSS.PNG
>
>
> UI Configuration->Configure appearance and the Name field is vulnerable to stored XSS.
> Only the System Administrator role and its child role the Archiva System Administrator role can use it for privilege escalation.
> The inserted code is shown to everybody on every page.
> Looks like a similar bug in 1.3.x, but this is 2.2.3 version.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)