*SUBMISSION REFERENCES* * *Submission code*: XWIKI-KHZJ9W8I * *Submission URL*: https://www.intigriti.com/auth/dashboard?redirect=/submissions/e95a7ad5-7029-4627-abf0-3e3e3ea0b4ce/XWIKI-KHZJ9W8I
*RESEARCHER INFORMATION* * *Submitter*: renniepak
*SUBMISSION INFORMATION* * *Created at*: Thu, 10 Nov 2022 10:59:19 GMT * *Submission status*: Accepted Closed
*REPORT CONTENT* * *Severity*: High (7.1) * *Domain*: https://intigriti.xwiki.com/ (Url) * *Proof of concept*: Hi XWiki Team,
I found a Stored XSS vulnerability on the ClassEditSheet page. An attacker can change their first/last name to an XSS payload and create a FormFieldCategoryClass object. When visiting the affected page our payload will trigger.
## Reproduction
1. Login as attacker and navigate to: https://intigriti.xwiki.com/xwiki/bin/edit/XWiki/<username>?editor=inline&category=profile 2. Change your first name to `<img src onerror=alert(document.domain)>` and save. 3. Now navigate to https://intigriti.xwiki.com/xwiki/bin/edit/XWiki/<username>?editor=object 4. Select `FormFieldCategory Class` > `Add` > `Save & View` 5. Now as the victim (could also be unauthenticated) Navigate to https://intigriti.xwiki.com/xwiki/bin/view/AppWithinMinutes/ClassEditSheet
## Result Our payload triggers: {587277} * *Impact*: If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:
* Perform any action within the application that the user can perform. * View any information that the user is able to view. * Modify any information that the user is able to modify. * *Personal data involved*: No * *Recommended solution*: In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures:
* **Filter input on arrival.** At the point where user input is received, filter as strictly as possible based on what is expected or valid input. * **Encode data on output.** At the point where user-controllable data is output in HTTP responses, encode the output to prevent it from being interpreted as active content. Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding. * **Use appropriate response headers.** To prevent XSS in HTTP responses that aren't intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend. * **Content Security Policy.** As a last line of defense, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur. * *Endpoint*: https://intigriti.xwiki.com/xwiki/bin/view/AppWithinMinutes/ClassEditSheet https://intigriti.xwiki.com/xwiki/bin/save/XWiki/<username> * *Type*: Stored Cross-Site Scripting * *Attachments*: Screenshot 2022-11-10 115746.png
|
|