Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Neutral
Fix Version/s: 1.0.5, 2.0.2
Affects Version/s: 1.0.1
Labels:
- XSS
- security
- softlocking

Template:
Acceptance criteria:

Empty

show more show less
Task DoD:

show more show less
Bug DoR:

show more show less

The Soft-Locking Module will accept a parameter containing JavaScript, and return it to the client, where the JavaScript then gets executed.

This will allow XSS attacks in the form of links sent to Editors.

Example:

http://demo.magnolia-cms.com/demo-project.html?isSoftLockingAjaxRequest=true&op=%3CSCRIPT%3Ealert%28%2220110927%20-%20XSS%20via%20URL%20Ajax%22%29;%3C/SCRIPT%3E

Acceptance criteria

Assignee:: Federico Grilli

Reporter:: Richard Unger

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Created:: 21/Feb/12 5:06 PM

Updated:: 27/Apr/12 9:42 AM

Resolved:: 17/Apr/12 11:52 AM

Date of First Response:: 21/Feb/12 5:21 PM

Bug DoR

Task DoD