Skip to:

Skip to Jira Navigation
Skip to Side Navigation
Skip to Main Content

XSS in REST error handler

Description

simply calling

http://localhost:8888/rest/%3Cscript%3Ealert(1)%3C/script%3E

results in an alert()

Environment

None

Linked issues

is duplicated by

Reflected XSS via /rest/ endpoint

relates to

XSS in Java StackTraces, REST error message

Activity

Show:

Zac Spitzer 22 November 2020 at 19:33

https://github.com/lucee/Lucee/commit/8f5d5901c1d320f2fcd7e7298dec01aa17cccd67

Igal Sapir 22 November 2020 at 19:09

Calling the URI in the description now escapes the HTML and the message returned is:

Fixed

Details
Assignee
Igal Sapir
Reporter
Zac Spitzer
Priority
New
Labels
restxss
Fix versions
5.3.8.112
New Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Affects versions
5.3.8.42

Created 28 August 2020 at 11:35

Updated 24 June 2024 at 14:44

Resolved 22 November 2020 at 19:09