Found Stored Cross Site Scripting (XSS) vulnerability in SharePoint 2013

Hi Trevor,

thanks for your input.

We have done several tests and found the root cause for this behavior (at least in our environment). Would be great if you could try this also on your end just to see if you are affected as well.

Our sites are provisioned via powershell and the task list is also generated via powershell. We recognized that when deleting an existing task list and recreating a task list with the same name over the GUI the issue is gone. So we checked our powershell script which contains following commands:

#Create Tasks
$LibTemp = [Microsoft.SharePoint.SPListTemplateType]::TasksWithTimelineAndHierarchy
$web.Lists.Add("Tasks", "", $LibTemp)
$list5 = $web.Lists["Tasks"]
$list5.OnQuickLaunch = $TRUE
$list5.EnableAssignToEmail = $TRUE
$list5.NavigateForFormsPages = $FALSE
$list5.Update()

So we went through each setting and identified the "NavigateForFormsPages" setting to be the root case. So actually the "Launch dialogs in forms" trigger in the task list setting is causing the XSS on our end. When disabling this setting either via powershell or the GUI everything is fine and no XSS is possible. Of course XSS is only happening when tasks appear in the Project Summary webpart.

So it would be interesting if you can reproduce this in your farm and could give some feedback.

Thank you guys!

Best regards, Marco