Uploaded image for project: 'Magnolia DAM Module'
  1. Magnolia DAM Module
  2. MGNLDAM-171

XSS vulnerability of Assets

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 1.0
    • None
    • None
    • None

    Description

      MGNLSTK-1105 removed escaping from FTL templates. The values are already escaped by HTMLEscapingNodeWrapper (MGNLSTK-1103).
      Because the nodes for assets are taken directly from session, they aren't wrapped and cause XSS vulnerability of image properties.

      Steps to reproduce:

      1. Use some XSS for Subject and Description of asset which appears in http://localhost:8080/magnoliaAuthor/demo-project/multimedia/image-gallery.html.
      2. Open the image gallery page.
        -> XSS exploit.

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                rkovarik Roman Kovařík
                rkovarik Roman Kovařík
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Bug DoR
                    Task DoD