Details
-
Improvement
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
2.26.10
-
None
-
None
Description
An attacker can misuse the destination parameter to inject javascript to the login form.
Reproduction Path:
1) build and run gogreen 3.07.xx
2) open http://localhost:8080/site/login/form?destination=true%27%29alert%28document.getElementById%28%27password%27%29.value%29;//
3) click on cancel
The password is shown in an alert popup. Expected is the destination query parameter should be url-encoded so the javascript of the cancel button can't be hijacked.
Attachments
Issue Links
- relates to
-
HSTTWO-2853 XSS vulnerability in LoginServlet
- Closed