User's Full Name is an XSS vector in Status Updates tab of User Profile

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Highest
    • 3.1-rc3
    • Affects Version/s: 3.0
    • Component/s: None
    • Environment:

      Server: CAC (3.1-rc2)
      Client: IE6/FireFox, WinXP

      A user's full name is an XSS vector when viewing the "Status Updates" tab of the user profile.

      1) Set a user's Full Name as "<script>alert(document.cookie)</script>".
      2) Log out.
      3) If anonymous access is disabled, log in as a different user, otherwise, continue as Anonymous.
      4) Go to the profile page for the user modified in step 1.
      5) Click the "Status Updates" tab.

      The script will execute twice:

          <div class="statuslist-wrapper">
        <h2 class="subheading">Status Updates for <script>alert(document.cookie)</script></h2>
        The status list for <script>alert(document.cookie)</script> is empty.
    </div>

      This does not reproduce when a user views his/her own profile page, as the user's full name is replaced by the word "Your".

        1. general-statuslist.vm
          0.8 kB
          Andrew Lynch
        2. statuslist.vm
          1 kB
          Andrew Lynch
        3. XSSStatusUpdates.png
          24 kB
          Penny Wyatt (On Leave to July 2021)

            Assignee:
            Andrew Lynch (Inactive)
            Reporter:
            Penny Wyatt (On Leave to July 2021)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: