[jira] [Created] (MRM-1972) Stored XSS in Web UI Organization Name

Viktor Gazdag (JIRA) Thu, 22 Feb 2018 15:39:44 -0800

Viktor Gazdag created MRM-1972:
----------------------------------

             Summary: Stored XSS in Web UI Organization Name
                 Key: MRM-1972
                 URL: https://issues.apache.org/jira/browse/MRM-1972
             Project: Archiva
          Issue Type: Bug
          Components: Web Interface
    Affects Versions: 2.2.3
         Environment: Windows 10
            Reporter: Viktor Gazdag
         Attachments: Setup.PNG, Stored_XSS.PNG


UI Configuration->Configure appearance and the Name field is vulnerable to 
stored XSS.

Only the System Administrator role and its child role the Archiva System 
Administrator role can use it for privilege escalation.

The inserted code is shown to everybody on every page.

Looks like a similar bug in 1.3.x, but this is 2.2.3 version.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (MRM-1972) Stored XSS in Web UI Organization Name

Reply via email to