header-logo
Suggest Exploit
vendor:
XWiki Enterprise
by:
Shai rod
7,5
CVSS
HIGH
Stored XSS
79
CWE
Product Name: XWiki Enterprise
Affected Version From: 4.2-milestone-2
Affected Version To: 4.2-milestone-2
Patch Exists: YES
Related CWE: N/A
CPE: a:xwiki:xwiki_enterprise
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2012

Multiple Stored XSS Vulnerabilities in XWiki

XWiki Enterprise is a professional wiki that has powerful extensibility features such as scripting in pages, plugins and a highly modular architecture. There are three stored XSS vulnerabilities in XWiki. The first is a stored XSS in the user profile, which can be triggered by inserting a Javascript payload into the vulnerable fields of the user profile. The second is a link label stored XSS, which can be triggered by inserting a Javascript payload into the label field of a web page link. The third is a “Space Name” stored XSS, which can be triggered by inserting a Javascript payload into the “Space Name” field when creating a new space.

Mitigation:

Users should avoid clicking on suspicious links and should not enter any malicious code into the vulnerable fields. Additionally, administrators should ensure that the latest version of XWiki is installed and that all security patches are applied.
Source

Exploit-DB raw data:

# Exploit Title: Multiple Stored XSS Vulnerabilities in XWiki.
# Date: 26/08/2012
# Exploit Author: Shai rod (@NightRang3r)
# Vendor Homepage: http://www.xwiki.org
# Software Link: http://enterprise.xwiki.org/xwiki/bin/view/Main/Download
# Version: 4.2-milestone-2

#Gr33Tz: @aviadgolan , @benhayak, @nirgoldshlager, @roni_bachar


About the Application:
======================

XWiki Enterprise is a professional wiki that has powerful extensibility features such as scripting in pages, plugins and a highly modular architecture.


Vulnerability Description
=========================

1. Stored XSS in User Profile.

Vulnerable Fields: "First Name", "Last Name" , "Company", "Phone", "Blog", "Blog Feed". 


Steps to reproduce the issue:

1.1. Go to your profile.
1.2. Edit "Personal Information".
1.3. Insert Javascript Payload: <img src='1.jpg'onerror=javascript:alert(0)> in one or all of the Vulnerable Fields.
1.4. Click the "Save and View" button.
1.5. The XSS Should be triggered.


2. Link Label Stored XSS.

Vulnerable Field: "Label"

Steps to reproduce the issue:

2.1. Add a new page or edit an existing one.
2.2. In the WYSIWYG Editor add a new "Web Page" Link.
2.3. Enter a "Webpage address" and in the "Label" field Insert Javascript Payload: This is a link"><img src='1.jpg'onerror=javascript:alert(0)>
2.4. Click the "Create Link" button.
2.5. The XSS Should be triggered.

The XSS Will be also triggered when users visits the page with the malicious link.


3. "Space Name" Stored XSS

Vulnerable Field: "SPACE NAME"

Steps to reproduce the issue:

3.1. Create a new space.
3.2. Insert Javascript Payload: <img src='1.jpg'onerror=javascript:alert(0)> in the "Space Name" field.
3.3. Select Blank homepage.
3.4. Click the "CREATE" button.
3.5. XSS Should be triggered in the "document index" view.

The XSS should also be triggerd on the main page.

Navigation

Suggest Exploit

Services By CQR