[jira] [Resolved] (MRM-1972) Stored XSS in Web UI Organization Name

Martin Stockhammer (JIRA) Sun, 10 Mar 2019 09:15:04 -0700


     [ 
https://issues.apache.org/jira/browse/MRM-1972?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Martin Stockhammer resolved MRM-1972.
-------------------------------------
    Resolution: Fixed

Fixed with commit 8e5fdd4536421a1a3f0cc5b70725148eeb27b652

> Stored XSS in Web UI Organization Name
> --------------------------------------
>
>                 Key: MRM-1972
>                 URL: https://issues.apache.org/jira/browse/MRM-1972
>             Project: Archiva
>          Issue Type: Bug
>          Components: Web Interface
>    Affects Versions: 2.2.3
>         Environment: Windows 10
>            Reporter: Viktor Gazdag
>            Assignee: Martin Stockhammer
>            Priority: Minor
>             Fix For: 2.2.4
>
>         Attachments: Setup.PNG, Stored_XSS.PNG
>
>
> UI Configuration->Configure appearance and the Name field is vulnerable to 
> stored XSS.
> Only the System Administrator role and its child role the Archiva System 
> Administrator role can use it for privilege escalation.
> The inserted code is shown to everybody on every page.
> Looks like a similar bug in 1.3.x, but this is 2.2.3 version.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Resolved] (MRM-1972) Stored XSS in Web UI Organization Name

Reply via email to