[jira] [Updated] (MRM-1972) Stored XSS in Web UI Organization Name

Martin Stockhammer (JIRA) Sun, 10 Mar 2019 01:09:35 -0800


     [ 
https://issues.apache.org/jira/browse/MRM-1972?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Martin Stockhammer updated MRM-1972:
------------------------------------
    Fix Version/s: 2.2.4

> Stored XSS in Web UI Organization Name
> --------------------------------------
>
>                 Key: MRM-1972
>                 URL: https://issues.apache.org/jira/browse/MRM-1972
>             Project: Archiva
>          Issue Type: Bug
>          Components: Web Interface
>    Affects Versions: 2.2.3
>         Environment: Windows 10
>            Reporter: Viktor Gazdag
>            Priority: Minor
>             Fix For: 2.2.4
>
>         Attachments: Setup.PNG, Stored_XSS.PNG
>
>
> UI Configuration->Configure appearance and the Name field is vulnerable to 
> stored XSS.
> Only the System Administrator role and its child role the Archiva System 
> Administrator role can use it for privilege escalation.
> The inserted code is shown to everybody on every page.
> Looks like a similar bug in 1.3.x, but this is 2.2.3 version.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (MRM-1972) Stored XSS in Web UI Organization Name

Reply via email to