Viktor Gazdag created MRM-1972:

             Summary: Stored XSS in Web UI Organization Name
                 Key: MRM-1972
             Project: Archiva
          Issue Type: Bug
          Components: Web Interface
    Affects Versions: 2.2.3
         Environment: Windows 10
            Reporter: Viktor Gazdag
         Attachments: Setup.PNG, Stored_XSS.PNG

UI Configuration->Configure appearance and the Name field is vulnerable to 
stored XSS.

Only the System Administrator role and its child role the Archiva System 
Administrator role can use it for privilege escalation.

The inserted code is shown to everybody on every page.

Looks like a similar bug in 1.3.x, but this is 2.2.3 version.

This message was sent by Atlassian JIRA

Reply via email to