Uploaded image for project: 'Magnolia Standard Templating Kit (closed)'
  1. Magnolia Standard Templating Kit (closed)
  2. MGNLSTK-791

Cross Site Scripting Vulnerability (XSS) in pagination

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 2.0.5
    • 2.0.4
    • paragraphs

    Description

      The pagination in the STK as used in, among others, the newsoverview and eventoverview is vulnerable to cross site scripting. The hrefs of page hyperlinks contain the original URL with an added currentPage parameter. The original URL can have malicious scripts syntax which will be executed when the page hyperlinks are rendered.

      An example can be found on the Magnolia demo site's newsoverview page if you define a paging for the newsoverview paragraph:
      http://demo.magnolia-cms.com/demo-project/news-and-events/news-overview.html?currentPage=2&xss="><script>alert('XSS');</script>

      A live example is on a website we made:
      http://www.wetenschap24.nl/nieuws/artikelen.html?currentPage=3&xss="><script>alert('XSS');</script>

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                rkovarik Roman Kovařík
                f.bosma Frank Bosma
                Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: