Details
-
Bug
-
Resolution: Fixed
-
Highest
-
3.0
-
None
-
Server: CAC (3.1-rc2)
Client: IE6/FireFox, WinXP
Description
A user's full name is an XSS vector when viewing the "Status Updates" tab of the user profile.
1) Set a user's Full Name as "<script>alert(document.cookie)</script>".
2) Log out.
3) If anonymous access is disabled, log in as a different user, otherwise, continue as Anonymous.
4) Go to the profile page for the user modified in step 1.
5) Click the "Status Updates" tab.
The script will execute twice:
<div class="statuslist-wrapper"> <h2 class="subheading">Status Updates for <script>alert(document.cookie)</script></h2> The status list for <script>alert(document.cookie)</script> is empty. </div>
This does not reproduce when a user views his/her own profile page, as the user's full name is replaced by the word "Your".