syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò (Jira) <j...@apache.org>
Subject [jira] [Commented] (SYNCOPE-1516) XSS vulnerability (successmessage field)
Date Tue, 26 Nov 2019 07:51:00 GMT

    [ https://issues.apache.org/jira/browse/SYNCOPE-1516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16982224#comment-16982224
] 

Francesco Chicchiriccò commented on SYNCOPE-1516:
-------------------------------------------------

Hi [~mingxuan] thanks for your findings.

Please follow the [outlined procedure|http://www.apache.org/security/#reporting-a-vulnerability]to
report a security issue, thanks.

> XSS vulnerability (successmessage field)
> ----------------------------------------
>
>                 Key: SYNCOPE-1516
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-1516
>             Project: Syncope
>          Issue Type: Bug
>          Components: enduser
>    Affects Versions: 2.1.5
>         Environment: ubuntu 5.0.0-36-generic #39~18.04.1-ubuntu
> (syncope-standalone-2.1.5-distribution.zip)
>            Reporter: songmingxuan
>            Priority: Major
>              Labels: XSS
>
> Here's how XSS works and the URL
> ——————————
> http://*.*.*.*:9080/syncope-enduser/app/#!/self?successMessage=<script>alert(11)</script>
> http://*.*.*.*:9080/syncope-enduser/?successMessage=<script>alert(11)</script>
> ——————————
>  
> See attached documents for details :syncope_xss.docx
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message