[
https://issues.apache.org/jira/browse/JSPWIKI-1107?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Juan Pablo Santos RodrÃguez updated JSPWIKI-1107:
-------------------------------------------------
Security: (was: Security Vulnerability Disclosure)
> uploading attachments with illegal filename causes XSS vulnerability
> --------------------------------------------------------------------
>
> Key: JSPWIKI-1107
> URL: https://issues.apache.org/jira/browse/JSPWIKI-1107
> Project: JSPWiki
> Issue Type: Bug
> Components: Templates and UI
> Affects Versions: 2.11.0-M3
> Reporter: Harry Metske
> Priority: Major
> Attachments: JSPWIKI-1107.patch
>
>
> Create a file with the name <img src=x onerror=alert`1`> and upload this file
> to an existing page.
> You get the JS popup doing the upload, and anyone visiting the download tab
> of that jsp will also get the JS popup.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
