You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@archiva.apache.org by "Martin Stockhammer (JIRA)" <ji...@apache.org> on 2019/03/10 09:09:00 UTC

[jira] [Assigned] (MRM-1972) Stored XSS in Web UI Organization Name

     [ https://issues.apache.org/jira/browse/MRM-1972?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Martin Stockhammer reassigned MRM-1972:
---------------------------------------

    Assignee: Martin Stockhammer

> Stored XSS in Web UI Organization Name
> --------------------------------------
>
>                 Key: MRM-1972
>                 URL: https://issues.apache.org/jira/browse/MRM-1972
>             Project: Archiva
>          Issue Type: Bug
>          Components: Web Interface
>    Affects Versions: 2.2.3
>         Environment: Windows 10
>            Reporter: Viktor Gazdag
>            Assignee: Martin Stockhammer
>            Priority: Minor
>             Fix For: 2.2.4
>
>         Attachments: Setup.PNG, Stored_XSS.PNG
>
>
> UI Configuration->Configure appearance and the Name field is vulnerable to stored XSS.
> Only the System Administrator role and its child role the Archiva System Administrator role can use it for privilege escalation.
> The inserted code is shown to everybody on every page.
> Looks like a similar bug in 1.3.x, but this is 2.2.3 version.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)