-
Bug
-
Resolution: Done
-
Blocker
-
3.0.4.Final
-
None
-
None
There is a vulnerability in HAL not properly escaping html characters from resource names, see example below:
[standalone@localhost:9990 /] deploy /home/darranl/src/wildfly13/elytron-examples/simple-webapp/target/simple-webapp.war --name=xss<svg/onload=alert(document.domain)>xss --disabled
[standalone@localhost:9990 /] /system-property="xss<svg/onload=alert(document.domain)>xss":add(value=test)
When loading either the system property view or opening the deployment view, the javascript onload is loaded.
- is incorporated by
-
WFLY-10936 Upgrade HAL to 3.0.5.Final
- Closed
-
WFLY-11408 Upgrade HAL to 3.1.2.Final
- Closed