\", \"password\":\"xsspasswd\" } }' http://localhost:8080/nuxeo/api/v1/user`\r\n\r\nwill result in the following situation\r\n![type an image title](http://oi64.tinypic.com/2cwkhma.jpg)\r\n\r\nIt is also possible to include the same fields in the creation-user form vía UI.\r\n\r\nWhen you try to search the user using the suggestion box (on the top-right corner of the page) you'll get the following message:\r\n\r\n![type an image title](http://oi68.tinypic.com/ivhg6t.jpg)\r\n\r\nIf you load the default search page and your compromising documents (users in this case) is included in the results page, the script code is also executed.\r\n\r\n![type an image title](http://oi64.tinypic.com/2ch6mpc.jpg)\r\n\r\nThe same happens when you change dc:title field or any field listed in the search layout.\r\n\r\n¿Is it any bugfix around this?\r\n\r\nThanks,\r\n\r\n\r\n\r\n", "htmlContent" : "

Hi everybody

\n

recently we have found that when creating a user, Nuxeo allows you to set some fields like firstName or lastName with HTML code. See examples below:

\n

curl -X POST -H \"Content-Type: application/json\" -u Administrator:Administrator -d '{ \"entity-type\": \"user\", \"id\":\"xssuser\", \"properties\":{\"username\":\"xssuser\", \"email\":\"xss@athento.com\", \"lastName\":\"XSS attack!\", \"firstName\":\"<script>alert(\\\"You have been hacked!\\\");</script>\", \"password\":\"xsspasswd\" } }' http://localhost:8080/nuxeo/api/v1/user

\n

will result in the following situation \"type

\n

It is also possible to include the same fields in the creation-user form vía UI.

\n

When you try to search the user using the suggestion box (on the top-right corner of the page) you'll get the following message:

\n

\"type

\n

If you load the default search page and your compromising documents (users in this case) is included in the results page, the script code is also executed.

\n

\"type

\n

The same happens when you change dc:title field or any field listed in the search layout.

\n

¿Is it any bugfix around this?

\n

Thanks,

" }, { "id" : "e73b50ca-f97f-4f27-8ac5-ec1566865b2e", "label" : "2", "active" : false, "author" : { "uid" : "b925b8f1-0dfe-408f-a26e-053730c74ada", "name" : "b925b8f1-0dfe-408f-a26e-053730c74ada", "email" : "pa@athento.com", "firstName" : "Paco", "lastName" : "Alías", "title" : "Member", "score" : 699, "disabled" : false, "virtual" : false, "badgeCount" : null, "notifications" : { "email" : { "name" : "email", "address" : "pa@athento.com", "notifs" : [ "EditMyAnswer", "CommentMyAnswer", "NewQuestionComment", "EditMyQuestion", "AnswerMyQuestion", "WeeklyDigest", "VoteMyQuestion", "BadgeAwarded", "VoteMyAnswer", "TagMyQuestion", "CommentMyQuestion", "NewQuestion", "NewAnswerComment", "NewAnswer" ] }, "phone" : null }, "badges" : [ "lucky", "editor", "lonesome", "commentator", "teacher", "student", "notableq", "popular" ], "loginCount" : 21, "lastLogin" : 1508941199684, "avatarUrl" : "//www.gravatar.com/avatar/9e8daa4e27c6b5b92c2e7db2a6ee8570?d=mm&s=%s" }, "created" : "2016-01-18T15:48:46.30Z", "createdAt" : "01/18/2016", "title" : "XSS in suggestion box", "content" : "Hi everybody\r\n\r\nrecently we have found that when creating a user, Nuxeo allows you to set some fields like firstName or lastName with HTML code. See examples below:\r\n\r\n`curl -X POST -H \"Content-Type: application/json\" -u Administrator:Administrator -d '{ \"entity-type\": \"user\", \"id\":\"xssuser\", \"properties\":{\"username\":\"xssuser\", \"email\":\"xss@athento.com\", \"lastName\":\"XSS attack!\", \"firstName\":\"\", \"password\":\"xsspasswd\" } }' http://localhost:8080/nuxeo/api/v1/user`\r\n\r\nwill result in the following situation\r\n![type an image title](http://oi64.tinypic.com/2cwkhma.jpg)\r\n\r\nIt is also possible to include the same fields in the creation-user form vía UI.\r\n\r\nWhen you try to search the user using the suggestion box (on the top-right corner of the page) you'll get the following message:\r\n\r\n![type an image title](http://oi68.tinypic.com/ivhg6t.jpg)\r\n\r\nIf you load the default search page and your compromising documents (users in this case) is included in the results page, the script code is also executed.\r\n\r\n![type an image title](http://oi64.tinypic.com/2ch6mpc.jpg)\r\n\r\nThe same happens when you change dc:title field or any field listed in the search layout.\r\n\r\n¿Is it any bugfix around this?\r\n\r\nThank you,\r\n\r\n\r\n\r\n", "htmlContent" : "

Hi everybody

\n

recently we have found that when creating a user, Nuxeo allows you to set some fields like firstName or lastName with HTML code. See examples below:

\n

curl -X POST -H \"Content-Type: application/json\" -u Administrator:Administrator -d '{ \"entity-type\": \"user\", \"id\":\"xssuser\", \"properties\":{\"username\":\"xssuser\", \"email\":\"xss@athento.com\", \"lastName\":\"XSS attack!\", \"firstName\":\"<script>alert(\\\"You have been hacked!\\\");</script>\", \"password\":\"xsspasswd\" } }' http://localhost:8080/nuxeo/api/v1/user

\n

will result in the following situation \"type

\n

It is also possible to include the same fields in the creation-user form vía UI.

\n

When you try to search the user using the suggestion box (on the top-right corner of the page) you'll get the following message:

\n

\"type

\n

If you load the default search page and your compromising documents (users in this case) is included in the results page, the script code is also executed.

\n

\"type

\n

The same happens when you change dc:title field or any field listed in the search layout.

\n

¿Is it any bugfix around this?

\n

Thank you,

" }, { "id" : "0cd9498c-68de-4e5a-b468-287fcde2fcec", "label" : "1", "active" : false, "author" : { "uid" : "b925b8f1-0dfe-408f-a26e-053730c74ada", "name" : "b925b8f1-0dfe-408f-a26e-053730c74ada", "email" : "pa@athento.com", "firstName" : "Paco", "lastName" : "Alías", "title" : "Member", "score" : 699, "disabled" : false, "virtual" : false, "badgeCount" : null, "notifications" : { "email" : { "name" : "email", "address" : "pa@athento.com", "notifs" : [ "EditMyAnswer", "CommentMyAnswer", "NewQuestionComment", "EditMyQuestion", "AnswerMyQuestion", "WeeklyDigest", "VoteMyQuestion", "BadgeAwarded", "VoteMyAnswer", "TagMyQuestion", "CommentMyQuestion", "NewQuestion", "NewAnswerComment", "NewAnswer" ] }, "phone" : null }, "badges" : [ "lucky", "editor", "lonesome", "commentator", "teacher", "student", "notableq", "popular" ], "loginCount" : 21, "lastLogin" : 1508941199684, "avatarUrl" : "//www.gravatar.com/avatar/9e8daa4e27c6b5b92c2e7db2a6ee8570?d=mm&s=%s" }, "created" : "2016-01-18T15:45:57.93Z", "createdAt" : "01/18/2016", "title" : "XSS in suggestion box", "content" : "Hi everybody\r\n\r\nrecently we have found that when creating a user, Nuxeo allows you to set some fields like firstName or lastName with HTML code. See examples below:\r\n\r\n`curl -X POST -H \"Content-Type: application/json\" -u Administrator:Administrator -d '{ \"entity-type\": \"user\", \"id\":\"xssuser\", \"properties\":{\"username\":\"xssuser\", \"email\":\"xss@athento.com\", \"lastName\":\"XSS attack!\", \"firstName\":\"\", \"password\":\"xsspasswd\" } }' http://localhost:8080/nuxeo/api/v1/user`\r\n\r\nwill result in the following situation\r\n![type an image title](http://oi64.tinypic.com/2cwkhma.jpg)\r\n\r\nIt is also possible to include the same fields in the creation-user form vía UI.\r\n\r\nWhen you try to search the user using the suggestion box (on the top-right corner of the page) you'll get the following message:\r\n\r\n![type an image title](http://oi68.tinypic.com/ivhg6t.jpg)\r\n\r\nIf you load the default search page and your compromising documents (users in this case) is included in the results page, the script code is also executed.\r\n\r\n![type an image title](http://oi64.tinypic.com/2ch6mpc.jpg)\r\n\r\nThe same happens when you change dc:title field or any field listed in the search layout.\r\n\r\n¿Is it any bugfix around this?\r\n\r\nThank you,\r\nPaco.\r\n\r\n\r\n", "htmlContent" : "

Hi everybody

\n

recently we have found that when creating a user, Nuxeo allows you to set some fields like firstName or lastName with HTML code. See examples below:

\n

curl -X POST -H \"Content-Type: application/json\" -u Administrator:Administrator -d '{ \"entity-type\": \"user\", \"id\":\"xssuser\", \"properties\":{\"username\":\"xssuser\", \"email\":\"xss@athento.com\", \"lastName\":\"XSS attack!\", \"firstName\":\"<script>alert(\\\"You have been hacked!\\\");</script>\", \"password\":\"xsspasswd\" } }' http://localhost:8080/nuxeo/api/v1/user

\n

will result in the following situation \"type

\n

It is also possible to include the same fields in the creation-user form vía UI.

\n

When you try to search the user using the suggestion box (on the top-right corner of the page) you'll get the following message:

\n

\"type

\n

If you load the default search page and your compromising documents (users in this case) is included in the results page, the script code is also executed.

\n

\"type

\n

The same happens when you change dc:title field or any field listed in the search layout.

\n

¿Is it any bugfix around this?

\n

Thank you, Paco.

" } ] }; Versioning.getActiveVersion = function() { var versions = this.versions; for (var i=0,len=versions.length;i

Select a revision to compare with:
Side by side diff