You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@archiva.apache.org by "Viktor Gazdag (JIRA)" <ji...@apache.org> on 2018/02/22 23:39:00 UTC

[jira] [Created] (MRM-1972) Stored XSS in Web UI Organization Name

Viktor Gazdag created MRM-1972:
----------------------------------

             Summary: Stored XSS in Web UI Organization Name
                 Key: MRM-1972
                 URL: https://issues.apache.org/jira/browse/MRM-1972
             Project: Archiva
          Issue Type: Bug
          Components: Web Interface
    Affects Versions: 2.2.3
         Environment: Windows 10
            Reporter: Viktor Gazdag
         Attachments: Setup.PNG, Stored_XSS.PNG

UI Configuration->Configure appearance and the Name field is vulnerable to stored XSS.

Only the System Administrator role and its child role the Archiva System Administrator role can use it for privilege escalation.

The inserted code is shown to everybody on every page.

Looks like a similar bug in 1.3.x, but this is 2.2.3 version.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)