[
https://issues.apache.org/jira/browse/CAUSEWAY-2373?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17851282#comment-17851282
]
Daniel Keir Haywood commented on CAUSEWAY-2373:
-----------------------------------------------
Wicket docs say resolved (at least in the use case mentioned there) as of 7.2.0
[CVE-2015-7520 Apache Wicket XSS vulnerability | Apache
Wicket|https://wicket.apache.org/news/2016/03/02/cve-2015-7520.html]
We are on wicket 9.x for v2, wicket 10.x for v3
However, the issue is still present ... upload causeway-2373-exploit.html to
demonstrate.
> Upload attachment: Preview vulnerable to XSS for html-attachments
> -----------------------------------------------------------------
>
> Key: CAUSEWAY-2373
> URL: https://issues.apache.org/jira/browse/CAUSEWAY-2373
> Project: Causeway
> Issue Type: Bug
> Components: Viewer Wicket
> Affects Versions: 1.17.0
> Reporter: Stefan Wegener
> Priority: Critical
> Fix For: 2.1.0
>
> Attachments: causeway-2373-exploit.html, isis-xss-1.png,
> isis-xss-2.png
>
>
> First of all: I am not sure if the topic is placed here correctly as it might
> only affect the wicket-Dependency that isis is using. But: As the current
> wicket-version (7.9.0) that is used by isis is vulnerable to it, I should be
> relevant to you.
>
> I created the following HTML-document named xss_box.html:
> {code:java}
> <html>
> <script language="JavaScript">
> window.alert("Sometext");
> </script>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
> </head>
> <body>...</body>
> </html>
> {code}
> When selecting this document for an upload, usually a preview of the content
> will be shown. In this case the client uploading the file executes the
> javascript code and gets a modified preview content, as you can see in my
> attached images.
>
> I do not know if later wicket-versions (currently the newest version is
> 7.16.0) are protected against this threat.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
