This issue has been created
There is 1 update.
 
 
XWiki Platform / cid:jira-generated-image-avatar-70c0a4df-5d15-447c-b958-016709a5e96d XWIKI-23756 Open

Stored XSS in Blog Application via Post Title (BlogPostSheet)
 
View issue   ·   Add comment
 

Issue created

 
cid:jira-generated-image-avatar-d0d6596a-e7cc-4fe1-9ff1-19a1efc29567 Łukasz Rybak created this issue on 25/Nov/25 01:54
 
Summary: Stored XSS in Blog Application via Post Title (BlogPostSheet)
Issue Type: cid:jira-generated-image-avatar-70c0a4df-5d15-447c-b958-016709a5e96d Bug
Affects Versions: 17.10.0
Assignee: Unassigned
Attachments: image-2025-11-25-01-51-17-127.png, image-2025-11-25-01-52-01-351.png, image-2025-11-25-01-52-47-545.png, image-2025-11-25-01-53-13-166.png
Components: {Unused} Blog
Created: 25/Nov/25 01:54
Labels: security stored xss
Priority: cid:jira-generated-image-static-major-f1b80a91-32e6-4bb6-b36d-8c6a35e709a1 Major
Reporter: Łukasz Rybak
Description:

Impact

 

The Blog Application is vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML <title> tag without proper escaping.

An attacker with permissions to create or edit blog posts can inject malicious JavaScript into the title field. This script will execute in the browser of any user (including administrators) who views the blog post. This leads to potential session hijacking or privilege escalation.

 

Technical Analysis

 

Vulnerable File: blog/application-blog-ui/src/main/resources/Blog/BlogPostSheet.xml

Root Cause: The code retrieves the title value and renders it directly:
XML
 
<title>$!doc.getValue("title")</title>
Because the value is not passed through $escapetool.xml() or similar sanitization methods, breaking out of the <title> tag is possible.

Reproduction Steps & Proof of Concept

 

  1. Log in as a user with rights to create blog posts.
  1. Create a new blog post.
  1. In the Title field, insert the following payload designed to break out of the title tag: </title><script>alert('XSS in title blog')</script>
  1. Save (Publish) the post.
  1. View the post as any user.

Evidence: The browser interprets the closing </title> tag and immediately executes the following <script> block. Attached screenshot shows the alert('XSS in title blog') executing on the page /bin/view/Blog/.

44367_image-2025-11-25-01-51-17-127.png

44366_image-2025-11-25-01-52-01-351.png

44365_image-2025-11-25-01-52-47-545.png
44364_image-2025-11-25-01-53-13-166.png
Patches

The title should be properly escaped before rendering. Suggested Fix: Change: <title>$!doc.getValue("title")</title> To: <title>$escapetool.xml($!doc.getValue("title"))</title>

Attribution

 

Reported by: Łukasz Rybak
 
 

1 update

 
cid:jira-generated-image-avatar-d0d6596a-e7cc-4fe1-9ff1-19a1efc29567 Changes by Łukasz Rybak on 25/Nov/25 01:54
 
Description: h3. Impact

 

The Blog Application is vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML {{<title>}} tag without proper escaping.

An attacker with permissions to create or edit blog posts can inject malicious JavaScript into the title field. This script will execute in the browser of any user (including administrators) who views the blog post. This leads to potential session hijacking or privilege escalation.
 
 h3. Technical Analysis

  

 *Vulnerable File:* {{blog/application-blog-ui/src/main/resources/Blog/BlogPostSheet.xml}}

*Root Cause:* The code retrieves the title value and renders it directly:
 XML
 
<title>$!doc.getValue("title")</title>
Because the value is not passed through {{$escapetool.xml()}} or similar sanitization methods, breaking out of the {{<title>}} tag is possible.
h3. Reproduction Steps & Proof of Concept

 
# Log in as a user with rights to create blog posts.

# Create a new blog post.

# In the *Title* field, insert the following payload designed to break out of the title tag: {{</title><script>alert('XSS in title blog')</script>}}

# Save (Publish) the post.

# View the post as any user.

*Evidence:* The browser interprets the closing {{</title>}} tag and immediately executes the following {{<script>}} block. Attached screenshot shows the {{alert('XSS in title blog')}} executing on the page {{{}/bin/view/Blog/{}}}.
h3. !image-2025-11-25-01-51-17-127.png!
h3. !image-2025-11-25-01-52-01-351.png!
!image-2025-11-25-01-52-47-545.png!
!image-2025-11-25-01-53-13-166.png!
Patches

The title should be properly escaped before rendering. *Suggested Fix:* Change: {{<title>$!doc.getValue("title")</title>}} To: {{<title>$escapetool.xml($!doc.getValue("title"))</title>}}
h3. Attribution

 

Reported by: Łukasz Rybak
 
 
This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6) Atlassian logo
If image attachments aren't displayed, see this article.