Impact The Import section in Global Administration (/bin/admin/XWiki/XWikiPreferences?section=Import) is vulnerable to Stored Cross-Site Scripting (XSS). The application fails to properly sanitize the filenames of uploaded packages before displaying them in the "Available packages" list. This allows an attacker to upload a maliciously named file which will execute arbitrary JavaScript code in the browser of any user viewing the Import page. Since this page is within the Administration area, this typically leads to privilege escalation or full compromise of the administrator's session. Proof of Concept
- Create a dummy file or rename an existing .xar package to include an XSS payload in its name. Payload used: ><img src=x onerror=prompt('XSS')>.xar
- Log in to XWiki as an administrator (or a user with upload rights).
- Navigate to Administer Wiki -> Content -> Import.
- Upload the malicious file.
- Observe that immediately after upload (and on subsequent visits), the JavaScript payload executes.
Evidence: The attached screenshot shows the prompt('XSS') alert executing on the xwiki domain within the Import administration panel, triggered by the file listed in "Available packages". Patches The application should properly escape HTML special characters (entity encoding) when rendering filenames in the UI. Attribution Reported by: Łukasz Rybak GitHub: https://github.com/lukasz-rybak |
