[ https://issues.apache.org/jira/browse/MRM-1972?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Stockhammer resolved MRM-1972. ------------------------------------- Resolution: Fixed Fixed with commit 8e5fdd4536421a1a3f0cc5b70725148eeb27b652 > Stored XSS in Web UI Organization Name > -------------------------------------- > > Key: MRM-1972 > URL: https://issues.apache.org/jira/browse/MRM-1972 > Project: Archiva > Issue Type: Bug > Components: Web Interface > Affects Versions: 2.2.3 > Environment: Windows 10 > Reporter: Viktor Gazdag > Assignee: Martin Stockhammer > Priority: Minor > Fix For: 2.2.4 > > Attachments: Setup.PNG, Stored_XSS.PNG > > > UI Configuration->Configure appearance and the Name field is vulnerable to > stored XSS. > Only the System Administrator role and its child role the Archiva System > Administrator role can use it for privilege escalation. > The inserted code is shown to everybody on every page. > Looks like a similar bug in 1.3.x, but this is 2.2.3 version. -- This message was sent by Atlassian JIRA (v7.6.3#76005)