Chris H created GUACAMOLE-794:
---------------------------------
Summary: Cross-Site-Scripting (XSS) WebApp Notification Modal
Key: GUACAMOLE-794
URL: https://issues.apache.org/jira/browse/GUACAMOLE-794
Project: Guacamole
Issue Type: Bug
Components: guacamole-client
Affects Versions: 1.0.0
Reporter: Chris H
Attachments: 9h3tXzV.png, Y9I4ZSU.png, quaiB6i.png, z1ZUvVX.png
A Cross-Site-Scripting vulnerability was found in the notification modal .
Steps to reproduce:
# docker run .... guacamole/guacamole (link it to the database)
# Log in [http://xx.xx.xx.xx:8080/guacamole/]
# Go to Settings -> Users
# Click "New user"
# Put in the field: "Username:" the following code
{code:java}
<script>alert(42)</script>
{code}
# Fill out other required fields
# Press "Save"
Result (see attachment below):
# Alert box with content: 42
# After pressing OK a Red HTML - message / notification modal appears
containing message: 'User "" already exists'
Excepted Result
* Blocking such user name or
* Safely validating untrusted HTML / Script input
Site effects:
It's not possible to edit this user again nor delete this user.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
