-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Low
-
Affects Version/s: 4.3
-
Component/s: None
-
4.6
There is a (difficult to exploit) XSS in fixCaseInNotifications.jsp. We could not get it to trigger, but there are some scenarios where unescaped data can be displayed through fix method (correctName, userNameToFix).
The relevant code is as follows:
NotificationCaseFixer caseFixer = new NotificationCaseFixer(userAccessor, sess, out);
List notifications = sess.find("from Notification notification");
for (Iterator iterator = notifications.iterator(); iterator.hasNext();)
{
caseFixer.fix((Notification) iterator.next());
}
tx.commit();
Where the NotificationCaseFixer fix method code is as follows:
public void fix(Notification notification) throws IOException
{
...
try
{
session.update(notification);
out.println("Fixed notification, user: " + correctName + ", page: " + notification.getPage() + ", space: " + notification.getSpace() + "<br/>");
}
catch (HibernateException e)
{
out.println("Hibernate Error occurred trying to update a Notification for user: " + userNameToFix + ":" + e);
log.error("Hibernate Error occurred trying to update a Notification for user: " + userNameToFix, e);
}
catch (RuntimeException e)
{
out.println("Error occurred trying to update a Notification for user: " + userNameToFix + ":" + e);
log.error("Error occurred trying to update a Notification for user: " + userNameToFix, e);
}