Viktor Gazdag (JIRA)
2018-02-22 23:39:00 UTC
Viktor Gazdag created MRM-1972:
----------------------------------
Summary: Stored XSS in Web UI Organization Name
Key: MRM-1972
URL: https://issues.apache.org/jira/browse/MRM-1972
Project: Archiva
Issue Type: Bug
Components: Web Interface
Affects Versions: 2.2.3
Environment: Windows 10
Reporter: Viktor Gazdag
Attachments: Setup.PNG, Stored_XSS.PNG
UI Configuration->Configure appearance and the Name field is vulnerable to stored XSS.
Only the System Administrator role and its child role the Archiva System Administrator role can use it for privilege escalation.
The inserted code is shown to everybody on every page.
Looks like a similar bug in 1.3.x, but this is 2.2.3 version.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
----------------------------------
Summary: Stored XSS in Web UI Organization Name
Key: MRM-1972
URL: https://issues.apache.org/jira/browse/MRM-1972
Project: Archiva
Issue Type: Bug
Components: Web Interface
Affects Versions: 2.2.3
Environment: Windows 10
Reporter: Viktor Gazdag
Attachments: Setup.PNG, Stored_XSS.PNG
UI Configuration->Configure appearance and the Name field is vulnerable to stored XSS.
Only the System Administrator role and its child role the Archiva System Administrator role can use it for privilege escalation.
The inserted code is shown to everybody on every page.
Looks like a similar bug in 1.3.x, but this is 2.2.3 version.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)