*SUBMISSION REFERENCES* * *Submission code*: XWIKI-C7Q0YDJQ * *Submission URL*: https://www.intigriti.com/auth/dashboard?redirect=/submissions/e95a7ad5-7029-4627-abf0-3e3e3ea0b4ce/XWIKI-C7Q0YDJQ
*RESEARCHER INFORMATION* * *Submitter*: rekter0
*SUBMISSION INFORMATION* * *Created at*: Fri, 04 Nov 2022 04:27:54 GMT * *Submission status*: Accepted Archived
*REPORT CONTENT* * *Severity*: Medium (5.4) * *Domain*: https://intigriti.xwiki.com/ (Url) * *Proof of concept*: ### Summary parts of URI reflected in body tag without proper check
### poc
to trigger alertbox with access to DOM click the following URI
``` https://intigriti.xwiki.com/xwiki/authenticate/wiki/xwiki%22onload=%22alert(origin)%22/resetpassword ```
{52265} * *Impact*: XSS results in unauthorized code being executed/rendered by a user's browser. As a result the following may occur:
Perform action within the application that the user can perform untrusted code can modify the DOM environment and retrieve/modify various values view any information that the user is able to view initiate interactions with other application users including malicious attacks that will appear to originate from the initial victim user * *Personal data involved*: No * *Endpoint*: https://intigriti.xwiki.com/xwiki/authenticate/wiki/xwiki[]/resetpassword * *Type*: Reflected Cross-Site Scripting * *Attachments*: Screenshot_2022-11-04_05-24-12.png
|
|