Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-16336

Stored XSS issue in Task Details page - unencoded person name

    Details

      Description

      Hi,
      We found 3 different vulnerabilities in Alfresco Community Edition version 5.

      1. Stored XSS
      A stored XSS has been discovered in the task part.
      While displaying the details of a task in a workflow, the data concerning the Owner are not properly sanitized. If the owner has placed an XSS in its name, the user viewing the page executes the code.

      > page : page/task-details?taskId=activiti%[ID]&referrer=workflows
      > injection in : Owner

      2. Reflected XSS
      An XSS injection is possible in the login page by using the error GET parameter.

      > page : page/?error=[XSS_HERE]
      > injection in : error GET parameter

      3. Reflected XSS
      An XSS injection is possible by using an uploaded document. If the MIME-TYPE is set to be read by the brower (ex : HTML), the user can execute javascript code. By default, the link is set to force download, but if the parameter "a=true" is removed + the MIME-TYPE is something like HTML, the browser execute the code.

      > page : proxy/alfresco/slingshot/node/content/workspace/SpacesStore/[ID]/system-overview.html
      > injection in : the file

      If you need more details, don't hesitate to contact me.
      When patched, we'd like to make a CVE.

      Thanks !

        Attachments

          Structure

            Activity

              People

              • Assignee:
                closedbugs Closed Bugs (Inactive)
                Reporter:
                Silou Silou Atien (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 2 hours, 5 minutes
                  1d 2h 5m

                    Structure Helper Panel