146021 – Js injection via reuse cookie

Bug 146021 - Js injection via reuse cookie

Summary: Js injection via reuse cookie

Status:	RESOLVED INSUFFICIENTDATA

Alias:	None

Product:	LibreOffice Online
Classification:	Unclassified
Component:	LibreOffice (show other bugs)
Version: (earliest affected)	unspecified
Hardware:	All All

Importance:	medium normal
Assignee:	Not Assigned

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2021-12-03 08:23 UTC by 1294741787
Modified:	2021-12-07 14:00 UTC (History)
CC List:	2 users (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description 1294741787 2021-12-03 08:23:34 UTC

Description:
Js and css can inject into loleaflet.html via cookie 

Steps to Reproduce:
1. Create a cookie like this:  i18next=zh-CN</script><script>alert(1)</script>
2. Visit loleaflet.html.https://localhost/loleaflet/dist/loleaflet.html


Actual Results:
Find alert(1) execute

Expected Results:
alert(1) not execute


Reproducible: Always


User Profile Reset: No



Additional Info:
LibreOffice Online
LOOLWSD      
7.0.1 (git hash: ad175179)
服务提供方: 8e42134b
LOKit     
LibreOffice 7.0.2.2.0 
(git hash: bc99794)
"CentOS Linux 7 (Core)"
Copyright © 2021, root.

Comment 1 Michael Meeks 2021-12-06 14:20:50 UTC

Hi there. This sounds interesting - however bugzilla is not a great place to file such issues. Can you report by simple E-mail to: officesecurity@lists.freedesktop.org and give details of the integration and/or reproduction steps.
Thanks!